[strongSwan] Encrypting connection between two public IPv6 prefixes
Marek Szuba
scriptkiddie at wp.pl
Tue Jun 6 14:48:36 CEST 2017
Hello,
I have been trying to establish an IPSec-encrypted connection between
two IPv6-enabled sites configured as follows:
- ordinary machines on each site receive either static or
DHCPv6-assigned addresses from their respective /56 prefixes. These
prefixes are globally routeable and, just to make it clear, separate for
each site;
- site gateways have got two interfaces, with the internal ones
assigned addresses from respective site prefixes and the external ones
sitting in two, again separate, /127 networks assigned to us by the ISP.
The gateways of both sites are Linux servers, running exactly the same
OS and by extension using the same version of StrongSWAN. Needless to
say, the two sites communicate perfectly well over IPv6 when no
encryption is involved.
Unfortunately the tunnel as configured right now does not quite work
right. When running ping6 on one site and tcpdump on the other:
- incoming ICMPv6 echo requests are visible twice, once as ESP and once
unencrypted; Replies come out fine, i.e. only once as ESP;
- site-to-site connections do not seem to work, unencrypted ICMPv6 is
visible for both echo-request and echo-reply packets.
Out of curiosity I tried switching the end-to-end connection to
transport mode, in which case I no longer see duplicates - only ESP
packets are seen instead of both incoming echo-request and outgoing
echo-reply. I couldn't get site-to-site connectivity working in this
mode, though.
Note: I should probably mention at this point that while I have used
IPSec on local networks before, this is the first time I have ever tried
using it connections between networks - so chances are I've made some
rather silly mistake. I have also never tried it with IPv6 before either
but at a glance nothing in the configs seems to be IPv6-specific so
perhaps it doesn't matter in this case.
Anyway, ipsec.conf on the two gateway machines looks as follows (with
redactions having been made using exactly the same regexes so am
confident they are consistent):
*** ipsec.conf-sun ***
config setup
ca myca
cacert=/etc/ssl/certs/ca.pem
auto=start
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
fragmentation=yes
mobike=no
conn tunv6-sites
also=tunv6-ends
leftsubnet=2001:1234:5678:100::/56
rightsubnet=2001:1234:5678:200::/56
auto=start
conn tunv6-ends
left=2001:1234:5678::2
leftcert=/etc/ssl/certs/sun.pem
leftid=@sun.sunsite.example.com
leftfirewall=yes
right=2001:1234:5678::4
rightcert=/etc/ssl/certs/moon.pem
rightid=@moon.moonsite.example.com
auto=start
*** ipsec.conf-moon ***
config setup
ca myca
cacert=/etc/ssl/certs/ca.pem
auto=start
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
fragmentation=yes
mobike=no
conn tunv6-sites
also=tunv6-ends
leftsubnet=2001:1234:5678:200::/56
rightsubnet=2001:1234:5678:100::/56
auto=start
conn tunv6-ends
left=2001:1234:5678::f
leftcert=/etc/ssl/certs/moon.pem
leftid=@moon.moonsite.example.com
leftfirewall=yes
right=2001:1234:5678::d
rightcert=/etc/ssl/certs/sun.pem
rightid=@sun.sunsite.example.com
auto=start
***
I will greatly appreciate any suggestions which will nudge me towards
getting this to work! If you need any more information, just let me know.
All the best,
--
MS
More information about the Users
mailing list