[strongSwan] mixing ipv4 and ipv6 subnets does not work
Niccolò Belli
darkbasic at linuxsystems.it
Sat Mar 10 12:22:34 CET 2012
Since a get an error I just wanted to know if it was possible to mix v4
and v6 subnet at all.
Supporting the fact it doesn't work is very easy: it doesn't create any
ip xfrm policy entry for the v4 subnet.
Server A ipsec.conf:
conn %default
mobike=no
pfs=yes
dpdaction=restart
dpddelay=30s
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn A-B
keyexchange=ikev2
authby=psk
left=5.5.5.5
leftsubnet=::/0
right=1.2.3.34
rightsubnet=1.2.3.32/28,a:b:c:0300::/56
type=tunnel
auto=start
conn local-ipv6
left=5.5.5.5
leftsubnet=a:b:c:0300::/56,ff02::/16,fe80::/10
right=1.2.3.34
rightsubnet=a:b:c:0300::/56,ff02::/16,fe80::/10
authby=never
type=pass
auto=route
Server A ip xfrm policy:
src a:b:c:300::/56 dst ::/0
dir fwd priority 1827 ptype main
tmpl src 1.2.3.4.34 dst 5.5.5.5
proto esp reqid 2 mode tunnel
src a:b:c:300::/56 dst ::/0
dir in priority 1827 ptype main
tmpl src 1.2.3.4.34 dst 5.5.5.5
proto esp reqid 2 mode tunnel
src ::/0 dst a:b:c:300::/56
dir out priority 1827 ptype main
tmpl src 5.5.5.5 dst 1.2.3.4.34
proto esp reqid 2 mode tunnel
src fe80::/10 dst fe80::/10
dir fwd priority 1971 ptype main
src fe80::/10 dst fe80::/10
dir in priority 1971 ptype main
src fe80::/10 dst fe80::/10
dir out priority 1971 ptype main
src ff02::/16 dst fe80::/10
dir fwd priority 1947 ptype main
src ff02::/16 dst fe80::/10
dir in priority 1947 ptype main
src fe80::/10 dst ff02::/16
dir out priority 1947 ptype main
src a:b:c:300::/56 dst fe80::/10
dir fwd priority 1787 ptype main
src a:b:c:300::/56 dst fe80::/10
dir in priority 1787 ptype main
src fe80::/10 dst a:b:c:300::/56
dir out priority 1787 ptype main
src fe80::/10 dst ff02::/16
dir fwd priority 1947 ptype main
src fe80::/10 dst ff02::/16
dir in priority 1947 ptype main
src ff02::/16 dst fe80::/10
dir out priority 1947 ptype main
src ff02::/16 dst ff02::/16
dir fwd priority 1923 ptype main
src ff02::/16 dst ff02::/16
dir in priority 1923 ptype main
src ff02::/16 dst ff02::/16
dir out priority 1923 ptype main
src a:b:c:300::/56 dst ff02::/16
dir fwd priority 1763 ptype main
src a:b:c:300::/56 dst ff02::/16
dir in priority 1763 ptype main
src ff02::/16 dst a:b:c:300::/56
dir out priority 1763 ptype main
src fe80::/10 dst a:b:c:300::/56
dir fwd priority 1787 ptype main
src fe80::/10 dst a:b:c:300::/56
dir in priority 1787 ptype main
src a:b:c:300::/56 dst fe80::/10
dir out priority 1787 ptype main
src ff02::/16 dst a:b:c:300::/56
dir fwd priority 1763 ptype main
src ff02::/16 dst a:b:c:300::/56
dir in priority 1763 ptype main
src a:b:c:300::/56 dst ff02::/16
dir out priority 1763 ptype main
src a:b:c:300::/56 dst a:b:c:300::/56
dir fwd priority 1603 ptype main
src a:b:c:300::/56 dst a:b:c:300::/56
dir in priority 1603 ptype main
src a:b:c:300::/56 dst a:b:c:300::/56
dir out priority 1603 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
Server B ipsec.conf:
conn %default
mobike=no
pfs=yes
dpdaction=restart
dpddelay=10s
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn A-B
keyexchange=ikev2
authby=psk
left=1.2.3.34
leftsubnet=1.2.3.32/28,a:b:c:0300::/56
right=5.5.5.5
rightsubnet=::/0
type=tunnel
auto=start
conn local-ipv6
left=1.2.3.34
leftsubnet=a:b:c:0300::/56,ff02::/16,fe80::/10
right=5.5.5.5
rightsubnet=a:b:c:0300::/56,ff02::/16,fe80::/10
authby=never
type=pass
auto=route
Server B ip xfrm policy:
src ::/0 dst a:b:c:300::/56
dir fwd priority 1827 ptype main
tmpl src 5.5.5.5 dst 1.2.3.34
proto esp reqid 1 mode tunnel
src ::/0 dst a:b:c:300::/56
dir in priority 1827 ptype main
tmpl src 5.5.5.5 dst 1.2.3.34
proto esp reqid 1 mode tunnel
src a:b:c:300::/56 dst ::/0
dir out priority 1827 ptype main
tmpl src 1.2.3.34 dst 5.5.5.5
proto esp reqid 1 mode tunnel
src fe80::/10 dst fe80::/10
dir fwd priority 1971 ptype main
src fe80::/10 dst fe80::/10
dir in priority 1971 ptype main
src fe80::/10 dst fe80::/10
dir out priority 1971 ptype main
src ff02::/16 dst fe80::/10
dir fwd priority 1947 ptype main
src ff02::/16 dst fe80::/10
dir in priority 1947 ptype main
src fe80::/10 dst ff02::/16
dir out priority 1947 ptype main
src a:b:c:300::/56 dst fe80::/10
dir fwd priority 1787 ptype main
src a:b:c:300::/56 dst fe80::/10
dir in priority 1787 ptype main
src fe80::/10 dst a:b:c:300::/56
dir out priority 1787 ptype main
src fe80::/10 dst ff02::/16
dir fwd priority 1947 ptype main
src fe80::/10 dst ff02::/16
dir in priority 1947 ptype main
src ff02::/16 dst fe80::/10
dir out priority 1947 ptype main
src ff02::/16 dst ff02::/16
dir fwd priority 1923 ptype main
src ff02::/16 dst ff02::/16
dir in priority 1923 ptype main
src ff02::/16 dst ff02::/16
dir out priority 1923 ptype main
src a:b:c:300::/56 dst ff02::/16
dir fwd priority 1763 ptype main
src a:b:c:300::/56 dst ff02::/16
dir in priority 1763 ptype main
src ff02::/16 dst a:b:c:300::/56
dir out priority 1763 ptype main
src fe80::/10 dst a:b:c:300::/56
dir fwd priority 1787 ptype main
src fe80::/10 dst a:b:c:300::/56
dir in priority 1787 ptype main
src a:b:c:300::/56 dst fe80::/10
dir out priority 1787 ptype main
src ff02::/16 dst a:b:c:300::/56
dir fwd priority 1763 ptype main
src ff02::/16 dst a:b:c:300::/56
dir in priority 1763 ptype main
src a:b:c:300::/56 dst ff02::/16
dir out priority 1763 ptype main
src a:b:c:300::/56 dst a:b:c:300::/56
dir fwd priority 1603 ptype main
src a:b:c:300::/56 dst a:b:c:300::/56
dir in priority 1603 ptype main
src a:b:c:300::/56 dst a:b:c:300::/56
dir out priority 1603 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
Sorry if I didn't immediately post the configs but I thought it was a
known bug when mixing v4 and v6 subnets and I was searching for a confirm.
Cheers,
Niccolò
More information about the Users
mailing list