IPsec: IP*-in-ESP-in-IP6

The following snippet is for site-to-site encrypted connections, transporting both IPv4 and IPv6 in ESP over IPv6. Kernel 3.x and strongswan-4.5.3 are used. One important caveat remains: The IPv6 addresses in the leftsubnet= and rightsubnet= lines must come after the IPv4 ones. This is a known “bug” in the StrongSWAN config parser.

config setup
        plutostart=no

conn %default
        ikelifetime=600m
        keylife=200m
        rekeymargin=3m
        keyexchange=ikev2
        mobike=no
        keyingtries=%forever
        dpdaction=restart
        dpddelay=60
        auto=start

conn a-b
        left=2001:db8:61:1fa::1
        leftsubnet=192.0.2.1/32,10.10.7.0/24,2001:db8:61:1fa::/64
        leftid=@a.company.de
        right=2001:db8:50:1fb::1
        rightsubnet=192.0.2.254/32,10.10.4.0/24,2001:db8:50:1fb::/64
        rightid=@b.company.de

192.0.2.1 shall substitute in for the public IPv4 address of host A, 2001:db8:61:1fa::1 for the public IPv6 address of host A, 10.10.7.0 for a network connected A which also has 2001:db8:61:1fa::/64. In `ip addr` parlance:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 (internet-facing)
    inet 192.2.0.1/25 scope global eth0
    inet6 2001:db8:61:1fa::1/128 scope global
      valid_lft forever preferred_lft forever
3: tapvbox0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 500
    inet 10.10.7.1/24 scope global tapvbox0
    inet6 2001:db8:61:1fa::1/64 scope global
      valid_lft forever preferred_lft forever

Posted 2012-06-29 15:06 / Tags: Ipsec, Ipv6, Linux, Networking. / link