On Tue, 15 May 2018, Andreas Scherrer wrote:
Dear libreswan wizards
I am trying to set up my first IPSec tunnel using libreswan (v3.23) on one
end and racoon on the other end.
The machines have IPv6 connectivity, so I want to (have to) use IPv6 for the
"outer" IPs.
Inside the tunnel I want to route IPv4 though.
There is a bug in the parser. You can try the patch at:
https://github.com/libreswan/libreswan/issues/175
So I tried with 'connaddrfamily=ipv6'.
With that, the tunnel comes up and I can reach (ping) through the tunnel in
both directions.
I have to explicitly set the source IP (192.168.112.1) when pinging from "the
libreswan end" though, while my understanding of the documentation is that
'leftip=192.168.112.1' should take care of that? I assume this is not working
because it expects an IPv6 address there...
You mean leftsourceip= ?
So you have two IPv4 addresses? An internal and external one? And you
set leftsourceip=internalip ?
That should work indeed.
In addition, I see the following error in the libreswan/pluto log:
-----
ERROR: netlink XFRM_MSG_UPDPOLICY response for flow eroute_connection add
included errno 22: Invalid argument
-----
It might be trying to install the wrong family for the %trap and fail.
So auto=ondemand might not be working.
I am wondering now if my configuration is actually doing what it is supposed
to do. Is 'connaddrfamily=ipv6' the correct thing to do even if the
documentation states the opposite?
These options are a bit busy and we do want to move to an auto-detection
for all of this. Sorry you were caught in these.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
