IPv6 with Strongswan/IPSEC

Assume that you have two nodes one with two IPv4 networks and one with one IPv4 network and each with one IPv6 network and we’d like to have a separate connection for the IPv6 stuff

  • node1
    • a.a.a.a/26
    • b.b.b.b/27
    • cccc:cccc:cc::c/64
  • node2 (has the same ip network as node2)
    • d.d.d.d/27
    • eeee:eeee:ee::e/64

My current configuration looks like this on node1

# ipsec.conf - strongSwan IPsec configuration file
 
conn general
    authby=ecdsasig
    compress=no
    type=tunnel
    left=b.b.b.4
    leftsubnet=a.a.a.0/26,b.b.b.0/27
    leftsigkey=/etc/ipsec.d/public/node1.pub.key
 
conn %default
    keyexchange=ikev2
    dpdaction=restart
 
include /etc/ipsec.d/*.conf

I guess I could simply add the IPv6 network to the leftsubnet and in my per-node configurations to the rightsubnet. However, I’d prefer to have two connections, one for IPv4 and one for IPv6. Turning my configuration into:

# ipsec.conf - strongSwan IPsec configuration file
 
conn general
    authby=ecdsasig
    compress=no
    type=tunnel
    leftsigkey=/etc/ipsec.d/public/node1.pub.key
 
conn left-ipv4
    also=general
    left=b.b.b.4
    leftsubnet=a.a.a.0/26,b.b.b.0/27
 
conn left-ipv6
    also=general
    left=cccc:cccc:cc::3
    leftsubnet=cccc:cccc:cc::/64
 
conn %default
    keyexchange=ikev2
    dpdaction=restart
 
include /etc/ipsec.d/*.conf

So, what happens here? I defined a conn general in which all the general settings for the left-side (local) tunnel are. I defined left-ipv4 and left-ipv6 which inherit the general settings using also=. The right-side (remote) configuration goes into per-node configuration files in /etc/ipsec.d/*.conf and will inherit left-ipv6 and left-ipv4. The %default conn is just there to make sure that I do use ikev2 and that dead-peer-detection is activated.

On node2 I do have:

# ipsec.conf - strongSwan IPsec configuration file
 
conn general
    authby=ecdsasig
    compress=no
    type=tunnel
    leftsigkey=/etc/ipsec.d/public/node2.pub.key
 
conn left-ipv4
    also=general
    left=d.d.d.130
    leftsubnet=d.d.d.128/27
 
conn left-ipv6
    also=general
    left=eeee:eeee:ee::2
    leftsubnet=eeee:eeee:ee::/64
 
conn %default
    keyexchange=ikev2
    dpdaction=restart
 
include /etc/ipsec.d/*.conf

On node1 I do create a configuration file for node2 in /etc/ipsec.d. On node2 I create a configuration for node1. /etc/ipsec.d/node2.conf on node1 looked like this:

conn node1-node2
    also=general
    auto=start
    right=d.d.d.130
    rightsubnet=d.d.d.128/27
    rightsigkey=/etc/ipsec.d/public/node2.pub.key

I’ll modified that into:

conn node1-node2-ipv4
    also=left-ipv4
    auto=start
    right=d.d.d.130
    rightsubnet=d.d.d.128/27
    rightsigkey=/etc/ipsec.d/public/node2.pub.key
 
conn node1-node2-ipv6
    also=left-ipv6
    auto=start
    right=eeee:eeee:ee::2
    rightsubnet=eeee:eeee:ee::/64
    rightsigkey=/etc/ipsec.d/public/node2.pub.key

Basically I just added a connection for the IPv6 Stuff and modified the original connection to inherit left-ipv4. /etc/ipsec.d/node1.conf on node2 looks like this:

conn node2-node1-ipv4
    also=left-ipv4
    auto=start
    right=b.b.b.4
    rightsubnet=b.b.b.0/27,a.a.a.0/26
    rightsigkey=/etc/ipsec.d/public/node1.pub.key
 
conn node2-node1-ipv6
    also=left-ipv6
    auto=start
    right=cccc:cccc:cc::3
    rightsubnet=cccc:cccc:cc::/64
    rightsigkey=/etc/ipsec.d/public/node1.pub.key

So it’s pretty much like a mirror of the configuration of node1. Now that we have two tunnels (left with ipv6 and left with ipv4) you need to define the key for both IPs.

On node1:

b.b.b.4 : ECDSA "node1.priv.key"
cccc:cccc:cc::3 : ECDSA "node1.priv.key"

On node2 you’re doing the same with the two IPs which are local to node2 and obviously you’re replacing node1.priv.key with node2.priv.key. To get more information about this sort of authentication, check my first post about strongswan.

Restart ipsec on both nodes and check „ipsec status“ (janice=node1, nyota=node2)

Security Associations (2 up, 0 connecting):
 
nyota-janice-ipv6[2]: ESTABLISHED 15 seconds ago, eeee:eeee:ee::2[eeee:eeee:ee::2]...
                                                  cccc:cccc:cc::3[cccc:cccc:cc::3]
nyota-janice-ipv6{2}:  INSTALLED, TUNNEL, ESP SPIs: x_i x_o
nyota-janice-ipv6{2}:   eeee:eeee:ee::/64 === cccc:cccc:cc::/64
 
nyota-janice-ipv4[1]: ESTABLISHED 15 seconds ago, d.d.d.130[d.d.d.130]...
                                                  b.b.b.4[b.b.b.4]
nyota-janice-ipv4{1}:  INSTALLED, TUNNEL, ESP SPIs: x_i x_o
nyota-janice-ipv4{1}:   d.d.d.128/27 === b.b.b.0/27 a.a.a.0/26

Great, isn’t it?

No Comments

Post a Comment