I've found that creating an IPv6 over IPv4 tunnel between hosts blocks traffic on the IPv4 network between those hosts (creating a "required" security policy matching the IPv4 host -- as I understand it). Meanwhile, apparently IPv6 traffic on that address is not IPSec-mandatory: if there is a keying issue, so that no SA can be created, but the hosts are on the same LAN so that the IPv6 addresses are routable, IPv6 traffic is transferred unencrypted.
I'd like to permit unencrypted IPv4 as usual, but require the traffic on the tunnelled IPv6 address to be encrypted. Is it possible to create this configuration with Strongswan? It seems to me the kernel allows to create a required security policy for the IPv6 address, with an SA for the tunnel. Or is this a kernel level limitation with IPSec policies in tunnel mode? I have to admit I am a bit hazy on the underlying mechanisms here, so any explanation would be appreciated. (Also: although I'm testing my configuration on a LAN, where direct IPv4 and IPv6 routes available, I intend to deploy these systems on the wide internet, where only IPv4 will be available -- so a non-tunnel IPv6 solution is not an option. However, I still want unsecured IPv6 blocked, of course.) _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
