Assume that you have two nodes one with two IPv4 networks and one with one IPv4 network and each with one IPv6 network and we’d like to have a separate connection for the IPv6 stuff
- node1
- a.a.a.a/26
- b.b.b.b/27
- cccc:cccc:cc::c/64
- node2 (has the same ip network as node2)
- d.d.d.d/27
- eeee:eeee:ee::e/64
My current configuration looks like this on node1
# ipsec.conf - strongSwan IPsec configuration file conn general authby=ecdsasig compress=no type=tunnel left=b.b.b.4 leftsubnet=a.a.a.0/26,b.b.b.0/27 leftsigkey=/etc/ipsec.d/public/node1.pub.key conn %default keyexchange=ikev2 dpdaction=restart include /etc/ipsec.d/*.conf
I guess I could simply add the IPv6 network to the leftsubnet and in my per-node configurations to the rightsubnet. However, I’d prefer to have two connections, one for IPv4 and one for IPv6. Turning my configuration into:
# ipsec.conf - strongSwan IPsec configuration file conn general authby=ecdsasig compress=no type=tunnel leftsigkey=/etc/ipsec.d/public/node1.pub.key conn left-ipv4 also=general left=b.b.b.4 leftsubnet=a.a.a.0/26,b.b.b.0/27 conn left-ipv6 also=general left=cccc:cccc:cc::3 leftsubnet=cccc:cccc:cc::/64 conn %default keyexchange=ikev2 dpdaction=restart include /etc/ipsec.d/*.conf
So, what happens here? I defined a conn general in which all the general settings for the left-side (local) tunnel are. I defined left-ipv4 and left-ipv6 which inherit the general settings using also=. The right-side (remote) configuration goes into per-node configuration files in /etc/ipsec.d/*.conf and will inherit left-ipv6 and left-ipv4. The %default conn is just there to make sure that I do use ikev2 and that dead-peer-detection is activated.
On node2 I do have:
# ipsec.conf - strongSwan IPsec configuration file conn general authby=ecdsasig compress=no type=tunnel leftsigkey=/etc/ipsec.d/public/node2.pub.key conn left-ipv4 also=general left=d.d.d.130 leftsubnet=d.d.d.128/27 conn left-ipv6 also=general left=eeee:eeee:ee::2 leftsubnet=eeee:eeee:ee::/64 conn %default keyexchange=ikev2 dpdaction=restart include /etc/ipsec.d/*.conf
On node1 I do create a configuration file for node2 in /etc/ipsec.d. On node2 I create a configuration for node1. /etc/ipsec.d/node2.conf on node1 looked like this:
conn node1-node2 also=general auto=start right=d.d.d.130 rightsubnet=d.d.d.128/27 rightsigkey=/etc/ipsec.d/public/node2.pub.key
I’ll modified that into:
conn node1-node2-ipv4 also=left-ipv4 auto=start right=d.d.d.130 rightsubnet=d.d.d.128/27 rightsigkey=/etc/ipsec.d/public/node2.pub.key conn node1-node2-ipv6 also=left-ipv6 auto=start right=eeee:eeee:ee::2 rightsubnet=eeee:eeee:ee::/64 rightsigkey=/etc/ipsec.d/public/node2.pub.key
Basically I just added a connection for the IPv6 Stuff and modified the original connection to inherit left-ipv4. /etc/ipsec.d/node1.conf on node2 looks like this:
conn node2-node1-ipv4 also=left-ipv4 auto=start right=b.b.b.4 rightsubnet=b.b.b.0/27,a.a.a.0/26 rightsigkey=/etc/ipsec.d/public/node1.pub.key conn node2-node1-ipv6 also=left-ipv6 auto=start right=cccc:cccc:cc::3 rightsubnet=cccc:cccc:cc::/64 rightsigkey=/etc/ipsec.d/public/node1.pub.key
So it’s pretty much like a mirror of the configuration of node1. Now that we have two tunnels (left with ipv6 and left with ipv4) you need to define the key for both IPs.
On node1:
b.b.b.4 : ECDSA "node1.priv.key" cccc:cccc:cc::3 : ECDSA "node1.priv.key"
On node2 you’re doing the same with the two IPs which are local to node2 and obviously you’re replacing node1.priv.key with node2.priv.key. To get more information about this sort of authentication, check my first post about strongswan.
Restart ipsec on both nodes and check „ipsec status“ (janice=node1, nyota=node2)
Security Associations (2 up, 0 connecting): nyota-janice-ipv6[2]: ESTABLISHED 15 seconds ago, eeee:eeee:ee::2[eeee:eeee:ee::2]... cccc:cccc:cc::3[cccc:cccc:cc::3] nyota-janice-ipv6{2}: INSTALLED, TUNNEL, ESP SPIs: x_i x_o nyota-janice-ipv6{2}: eeee:eeee:ee::/64 === cccc:cccc:cc::/64 nyota-janice-ipv4[1]: ESTABLISHED 15 seconds ago, d.d.d.130[d.d.d.130]... b.b.b.4[b.b.b.4] nyota-janice-ipv4{1}: INSTALLED, TUNNEL, ESP SPIs: x_i x_o nyota-janice-ipv4{1}: d.d.d.128/27 === b.b.b.0/27 a.a.a.0/26
Great, isn’t it?
No Comments