Libreswan version 4.12
Ubuntu 20.04.6 LTS
Host 1: Perlis
Host 2: Tarjan
Perlis and Tarjan are connected to the same LAN.
There is no routing or DNS active.
The only IPv6 addresses that the paired interfaces have are their IPv6
Link-Local (LL) addresses.
In order to establish secure IPv6 routing between these two hosts, I
need to establish an IPsec SA between them, based on their LL addresses.
As a preliminary experiment, this is based on libreswan-generated host
keys. Eventually, the SA will be established based on certificates, as
required by the ANIMA specifications (see below).
Because the appropriate interface cannot be determined from a LL
address, the interface must also be specified when a LL address is given.
The following are the contents of PETA6.conf and TAPE6.conf. These
files must be different, because of the need to specify the interface.
The host keys have been shortened for clarity. The files are also
asymmetrical, in that "left" is used for "local" properties and "right"
is used for "remote" properties.
PETA6.conf
conn peta6
leftid=@west
left=fe80::21e:c9ff:fe29:ce38%enp4s0
leftrsasigkey=0sAwEAAc8S...B0V7P1w==
rightid=@east
right=fe80::2e27:d7ff:fe46:cd40%enp4s0
rightrsasigkey=0sAwEAAbWt...A6GChaQ==
authby=rsasig
auto=add
TAPE6.conf
conn tape6
leftid=@west
left=fe80::2e27:d7ff:fe46:cd40%eno1
leftrsasigkey=0sAwEAAbWt...A6GChaQ==
rightid=@east
right=fe80::21e:c9ff:fe29:ce38%eno1
rightrsasigkey=0sAwEAAc8S...B0V7P1w==
authby=rsasig
auto=add
On Tarjan:
sudo ipsec setup start
sudo ipsec auto --add tape6
On Perlis:
sudo ipsec setup start
sudo ipsec auto --add peta6
sudo ipsec auto --up peta6
I get the following error message:
dev@Perlis:~$ sudo ipsec auto --up peta6
022 "peta6": we cannot identify ourselves with either end of this
connection. fe80::21e:c9ff:fe29:ce38 or fe80::2e27:d7ff:fe46:cd40 are
not usable
036 "peta6": failed to initiate connection
dev@Perlis:~$
How can I convince libreswan to accept IPv6 LL addresses? This is
needed to build a reference implementation of the specifications issued
by the ANIMA Working Group of the IETF, for autonomic networking.
Specifically, RFC 8994, Section 6.8.3.1.
Bill Atwood
--
Dr. J.W. Atwood, Eng. tel: +1 (514) 848-2424 x3046
Distinguished Professor Emeritus fax: +1 (514) 848-2830
Department of Computer Science
and Software Engineering
Concordia University ER 1234 email:[email protected]
1455 de Maisonneuve Blvd. West http://users.encs.concordia.ca/~bill
Montreal, Quebec Canada H3G 1M8
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
