My bad.
I had re-booted Ritchie, and forgotten to re-run the script that assigns
the ULA.
After running that script, I see an established connection (on both
Ritchie and Tarjan).
What I don't see is any evidence of an added interface on Ritchie (5.0
RC1), where I do see this on Tarjan (4.12). How does one access the new
tunnel?
Bill
dev@Ritchie:~$ ./fixaddr.sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd51:20d9:5ad2:b::2/64 scope global tentative
valid_lft forever preferred_lft forever
inet6 fe80::21a:a0ff:fe15:62b8/64 scope link
valid_lft forever preferred_lft forever
3: enp5s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::20e:cff:fea9:b90f/64 scope link
valid_lft forever preferred_lft forever
4: enp5s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::20e:cff:fea9:b937/64 scope link
valid_lft forever preferred_lft forever
dev@Ritchie:~$ sudo ipsec setup restart
Redirecting to: systemctl restart ipsec.service
dev@Ritchie:~$ sudo ipsec add RITA6c
"RITA6c": added IKEv2 connection
dev@Ritchie:~$ sudo ipsec status |grep interface
using kernel interface: xfrm
interface enp4s0 UDP [fd51:20d9:5ad2:b::2]:4500
interface enp4s0 UDP [fd51:20d9:5ad2:b::2]:500
interface lo UDP [::1]:4500
interface lo UDP [::1]:500
interface lo UDP 127.0.0.1:4500
interface lo UDP 127.0.0.1:500
interface enp4s0 UDP 132.205.9.46:4500
interface enp4s0 UDP 132.205.9.46:500
interface enp5s4 UDP 132.205.9.50:4500
interface enp5s4 UDP 132.205.9.50:500
interface enp5s5 UDP 132.205.9.53:4500
interface enp5s5 UDP 132.205.9.53:500
interface virbr0 UDP 192.168.123.1:4500
interface virbr0 UDP 192.168.123.1:500
"RITA6c": conn_prio: 128,128; interface: enp4s0; metric: 0; mtu:
unset; sa_prio:auto; sa_tfc:none;
dev@Ritchie:~$ sudo ipsec up RITA6c
"RITA6c" #1: initiating IKEv2 connection to fd51:20d9:5ad2:b::1 using UDP
"RITA6c" #1: sent IKE_SA_INIT request to [fd51:20d9:5ad2:b::1]:500
"RITA6c" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a
prf=HMAC_SHA2_512 group=MODP2048}
"RITA6c" #1: initiator established IKE SA; authenticated peer '2048-bit
RSASSA-PSS with SHA2_512' digital signature using peer certificate
'CN=Tarjan certificate' issued by CA 'CN=ConU CSE HSPL'
"RITA6c" #2: initiator established Child SA using #1; IPsec tunnel
[fd51:20d9:5ad2:b::2/128===fd51:20d9:5ad2:b::1/128] {ESP/ESN=>0xfee0113a
<0xee7634c5 xfrm=AES_GCM_16_256-NONE DPD=passive}
dev@Ritchie:~$
On 1/15/2024 2:26 PM, Paul Wouters wrote:
On Mon, 15 Jan 2024, Tuomo Soini wrote:
On Mon, 15 Jan 2024 13:23:58 -0500
Bill Atwood <[email protected]> wrote:
Here is the result of the status command, on Ritchie (running 5.0
RC1):
dev@Ritchie:~$ sudo ipsec status | grep interface
[sudo] password for dev:
using kernel interface: xfrm
interface lo UDP [::1]:4500
interface lo UDP [::1]:500
interface lo UDP 127.0.0.1:4500
interface lo UDP 127.0.0.1:500
interface enp4s0 UDP 132.205.9.46:4500
interface enp4s0 UDP 132.205.9.46:500
interface enp5s4 UDP 132.205.9.50:4500
interface enp5s4 UDP 132.205.9.50:500
interface enp5s5 UDP 132.205.9.53:4500
interface enp5s5 UDP 132.205.9.53:500
interface virbr0 UDP 192.168.123.1:4500
interface virbr0 UDP 192.168.123.1:500
"RITA6c": conn_prio: 128,128; interface: ; metric: 0; mtu: unset;
sa_prio:auto; sa_tfc:none;
dev@Ritchie:~$
Is this directly from bootup of the machine?
Reason could be your network configuration. Libreswan requires
network-online.target before startup. But if you don't have setting for
IPV6 address to be required on your interface, network-online.target
finisheds before you have IPv6 address on the interface and so there is
no ipv6 address when libreswan starts, yet.
You can confirm if this is the case by issuing:
sudo ipsec whack --listen
sudo ipsec status | grep interface
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
