[Swan] Tunnel IPv4 over IPv6: connaddrfamily?

Mon, 14 May 2018 15:34:39 -0700 

Dear libreswan wizards
I am trying to set up my first IPSec tunnel using libreswan (v3.23) on one end and racoon on the other end. 


The machines have IPv6 connectivity, so I want to (have to) use IPv6 for 
the "outer" IPs.


Inside the tunnel I want to route IPv4 though.


To me it currently seems that the documentation does not match what I 
see with regards to "connaddrfamily".


[1] states


"set connaddrfamily= to the family of the *subnet= options, and if those 
are not defined, to the family of the left=/right= options"



So for me this would mean 'ipv4', because the 'leftsubnet' and 
'rightsubnet' are IPv4.


But if I do that, I see the following error when pluto starts up:

-----

failed to convert '<left ipv6>' at load time: IPv4 address may not 
contain `:'


and later


We cannot identify ourselves with either end of this connection. 
0.0.0.0 or 0.0.0.0 are not usable

-----

So I tried with 'connaddrfamily=ipv6'.


With that, the tunnel comes up and I can reach (ping) through the tunnel 
in both directions.



I have to explicitly set the source IP (192.168.112.1) when pinging from 
"the libreswan end" though, while my understanding of the documentation 
is that 'leftip=192.168.112.1' should take care of that? I assume this 
is not working because it expects an IPv6 address there...


In addition, I see the following error in the libreswan/pluto log:

-----

ERROR: netlink XFRM_MSG_UPDPOLICY response for flow eroute_connection 
add included errno 22: Invalid argument

-----


I am wondering now if my configuration is actually doing what it is 
supposed to do. Is 'connaddrfamily=ipv6' the correct thing to do even if 
the documentation states the opposite?



Thanks for any hints, corrections or reassurements.
andreas

Here is my libreswan config:

-----
# /etc/ipsec.d/home.conf - Libreswan IPsec configuration file

config setup
  plutodebug=all
  protostack=netkey
  interfaces=%none

conn mytunnel
  auto=start
  connaddrfamily=ipv6
  left=<left ipv6>
  right=<right ipv6>
  also=shared
  also=mysubnet

conn shared
  authby=secret
  ike=aes-sha2_256;dh5
  phase2alg=aes-sha2_256

conn mysubnet
  leftsubnet=192.168.112.0/24
  leftsourceip=192.168.112.1
  rightsubnet=192.168.0.0/18
  rightsourceip=192.168.1.1
-----

[1] https://libreswan.org/man/ipsec.conf.5.html

--
Stell dir vor es geht und keiner kriegt's hin.
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to