[strongSwan] IPv6, whole /64 in transport mode
Victor Sudakov
vas at sibptus.ru
Sat Feb 1 04:30:32 CET 2020
Dear Noel,
For the lack of better documentation in ipsec.conf(5) I copied the setup in
https://www.strongswan.org/testing/testresults/ikev2/trap-any/dave.ipsec.conf
only for IPv6.
When the config on Host A looks like this:
conn test-v6
right=%any
rightsubnet=2001:19f0:8001:1219::/64
type=transport
authby=psk
auto=route
I see that "setkey -DP" outputs no IPv6 policies at all in the kernel
SPD. So obviously something is incorrect again.
Can you provide a pointer to the correct configuration?
Noel Kuntze wrote:
> That's because your configuration is incorrect.
> Do not set right or left. If you do that, you can't use transport mode anymore while having rightsubnet != right and leftsubnet != left.
>
> Am 21.01.20 um 16:59 schrieb Victor Sudakov:
> > noel.kuntze+strongswan-users-ml at thermi.consulting wrote:
> >> https://wiki.strongswan.org/issues/196#note-6
> >>
> >> Tobias is literally the person that wrote the code, so it's extremely likely that what he wrote and what the teet scenario successfully tests is what in fact works.
> >
> >
> > No, this does not work. Probably it is not suitable for the case where
> > the rightsubnet belongs to one host, not multiple hosts. IPv6 traffic
> > remains unencrypted.
> >
> > My configs (with real IPs even):
> >
> > Host A (has one address)
> >
> > conn test-v6
> > left=2001:470:35:7af::2
> > right=%any
> > rightsubnet=2001:19f0:8001:1219::/64
> > type=transport
> > authby=psk
> > auto=route
> >
> > Host B (has multiple addresses from a /64 network)
> >
> > conn test-v6
> > left=%any
> > leftsubnet=2001:19f0:8001:1219::/64
> > right=2001:470:35:7af::2
> > type=transport
> > authby=psk
> > auto=route
> >
> >
> >
>
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Users
mailing list