On Fri, 28 Oct 2022 at 21:49, Paul Wouters <[email protected]> wrote: > > Not yet in 4.9. But work to support this has recently started. > > Sent using a virtual keyboard on a phone > > On Oct 28, 2022, at 19:52, Nestor Melo <[email protected]> wrote: > > > Hi, > > > We would like to configure a single IPSec connection that would handle both > IPv4 and IPv6 traffic. > > We considered multiple child SA sharing a single IKE SA: > > conn tunnel46 > auto=start > leftid=@left > left=%eth0 > rightid=@right > right=172.31.0.1 > authby=secret > ipsec-interface=yes > leftsourceip=192.168.61.1 > rightsourceip=192.168.60.1 > leftsubnets={192.168.61.0/24,fc02::/64} > rightsubnets={192.168.60.0/24,fc01::/64}
The subnets= code in 4.9 limits subnets= and the host to the same address family. Would you be able to experiment with mainline? I've removed the one address family only limitation from subnets= in mainline, both "add" and "up" do "something". It turns out that this is a good way to expose some IPv4 vs IPv6 issues early. For instance: + "road/0x1" #2: up-client-v6 output: Error: inet6 prefix is expected rather than "192.0.3.254". (fixed) and: +002 "road/0x1" #2: up-client output: Error: inet6 prefix is expected rather than "192.0.3.254". +002 "road/0x1" #2: up-client output: PATH/libexec/ipsec/_updown.xfrm: addsource "ip addr add 192.0.3.254/128 dev lo scope global" failed (Error: any valid prefix is expected rather than "192.0.3.254/128".) I suspect sourceip needs a re-think. > However, when we tried that, only the IPv4 traffic came through. > > Paul mentioned in issue #375 > (https://github.com/libreswan/libreswan/issues/375) that: > > "For libreswan 4.2, we are working on allowing to combine these into one > conn, and also to combine them as traffic selectors on a single IPsec SA." > > Are mixed address families in {left|right}subnets something that is supported > in libreswan 4.9? If not, is there any alternative to achieve IPv4 and IPv6 > traffic through a single tunnel? > > > Thank you, > > Nestor Melo > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
