Fixed
Created: May 3, 2022
Updated: Nov 20, 2024
Resolved Date: Nov 20, 2024
Found In Version: 10.21.20.20
Fix Version: 10.21.20.22
Severity: Standard
Applicable for: Wind River Linux LTS 21
Component/s: Userspace
Hello,
This is a scenario in which IPv6 hosts use IPsec in transport mode.
I wrote the traffic selector in IPv6 using /etc/swanctl/conf.d/swanctl.conf.
I set it as% any in IKE connections.
In StrongSwan,% any specifies both IPv4 and IPv6.
However, IPsec does not work between IPv6. (IKE doesn't work)
IPv4 works fine.
So I set it to% any6. Then IPsec will work normally.
% any6 is used to specify only the IPv6 address.
In this example, ic selethere is only one traffctor. In other words, it is only for IPv6 and is also recognized by --list-conns.
Is it possible to modify% any so that both IPv4 and IPv6 can be used?
settings:
remote-host
root@intel-x86-64:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:3c:e9:35 brd ff:ff:ff:ff:ff:ff
inet 192.168.11.47/24 brd 192.168.11.255 scope global dynamic noprefixroute eth0
valid_lft 12037sec preferred_lft 9337sec
inet6 3ffe:501:ffff:101::105/128 scope global dynamic noprefixroute
valid_lft 2582432sec preferred_lft 595232sec
inet6 2400:4053:8961:a100:a883:83cf:cdd7:e027/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86387sec preferred_lft 14387sec
inet6 fe80::7e91:d54e:b5f:6a51/64 scope link
valid_lft forever preferred_lft forever
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
root@intel-x86-64:~# ping -6 2400:4053:8961:a100:8838:975b:fe39:568e
PING 2400:4053:8961:a100:8838:975b:fe39:568e(2400:4053:8961:a100:8838:975b:fe39:568e) 56 data bytes
64 bytes from 2400:4053:8961:a100:8838:975b:fe39:568e: icmp_seq=1 ttl=64 time=1.60 ms
64 bytes from 2400:4053:8961:a100:8838:975b:fe39:568e: icmp_seq=2 ttl=64 time=0.984 ms
local-host
root@intel-x86-64:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:9b:f9:cb brd ff:ff:ff:ff:ff:ff
inet 192.168.11.38/24 brd 192.168.11.255 scope global dynamic noprefixroute eth0
valid_lft 11158sec preferred_lft 8458sec
inet6 3ffe:501:ffff:101::101/128 scope global dynamic noprefixroute
valid_lft 2581553sec preferred_lft 594353sec
inet6 2400:4053:8961:a100:8838:975b:fe39:568e/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86333sec preferred_lft 14333sec
inet6 fe80::318d:85aa:2c0f:3a08/64 scope link
valid_lft forever preferred_lft forever
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
root@intel-x86-64:~# [^swanctl.conf.remote] [^swanctl.conf.host]
