On Tue, 5 Jun 2018, Reuben Farrelly wrote:
I only need to transport IPv4 across the IPv6 IPSec tunnel, but bonus marks
all around if I can optionally have an IPv4 and IPv6 address on the VTI at
the same time.
Problems I have run into and would appreciate any advice are as follows...
1. The libreswan conn section for each peer requires a left= statement. This
works as either an IPv4 address, or an IPv6 address, but only one can be
defined. And %any doesn't work either (trying this results in an error
"connection router-2.reub.net must specify host IP address for our side")
This is a major obstacle if I have both IPv4 only and IPv6 preferred clients
connecting in, especially if I am migrating between the two transports as I
am here, because it appears I have to use one or the other, but cannot
support both address families at once.
2. If I change the left= side to be the IPv6 address, then it starts but I
get a proposal error:
Please retry the current git master. It no longer uses the
connaddrfamily= keyword. You should not need any keyword to do 6in4 or
4in6. But if you want to force the address family of the gateways, you
can use hostaddrfamily= and if you want to force the address family of
the subnets, you can use clientaddrfamily=
Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Processing IKE_SA_INIT
message
Jun 5 22:58:21: IKEv2-ERROR:(SESSION ID = 43,SA ID = 1):: Received no
proposal chosen notify
Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Failed SA init exchange
Jun 5 22:58:21: IKEv2-ERROR:(SESSION ID = 43,SA ID = 1):Initial exchange
failed: Initial exchange failed
Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Abort exchange
Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Deleting SA
I don't understand why I'd start getting a proposal error if I haven't
changed any of the proposals on either side.
Most likely, your connection showed up as "unoriented" and therefor
fails in IKE_INIT to be found at all (we can only look at oriented
connections to match an exchange to)
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
