IPv6-IPSEC – Shoreline Firewall

Context Navigation

This is a small article about how to do transport mode IPSEC encryption fpr IPv6 using openswan and IPv6.

This setup is implemnted using OpenSUSE 11.1 on both gateways with:
- shorewall-perl-4.2.4-6
- shorewall6-4.2.4-1
- shorewall-common-4.2.4-0base
- openswan2.6.16-1.46 with IKEv2 and netkey protocol stack

Shorewall Configuration

/etc/shorewall6/tunnels:

#TYPE                   ZONE    GATEWAY         GATEWAY
#                                               ZONE
ipsec                   net     2a01:dead:beef:2dc::2           # remote Gateway address
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Openswan Configuration

Shown below are just the uncommented options.

/etc/ipsec.conf

version 2.0     # conforms to second version of ipsec.conf specification

# Basic config for us important is protostack=netkey

config setup
        nat_traversal=no       # disable NAT Traversal
        OE=off                 # disable opportunistic encryption
        protostack=netkey      # use netkey (kernel) protocol stack 

conn %default
        leftrsasigkey=%cert
        rightrsasigkey=%cert


conn    IPv6-1
        connaddrfamily=ipv6                   # make the config expect IPv6 addresses
        type=transport                        # use transport mode
        left=2a01:dead:beef:17e::2            # Global unicast address of 1. gateway
        right=2a01:dead:beef:2dc::2           # Global unicast address of 2. gateway
        leftsubnet=2a01:dead:beaf:1000::/64   # protected subnet behind 1. gateway
        rightsubnet=2a01:dead:beaf:6000::/64  # protected subnet behind 2. gateway
        auto=start                            # start automatically
        auth=esp                              # use ESP encryption
        authby=secret                         # use shared passwords
        keyingtries=0                         # unlimited keying tries
        rekeymargin=4m                        # rekey 4 minutes before key expiration
        dpddelay=3                            # dead peer detection every 3 seconds...should beprobably more
        dpdtimeout=5                          # timeout for dead peers before dpdaction
        dpdaction=restart_by_peer             # restart the whole connection (see man ipsec.conf)
        ikev2=insist                          # use IKEv2 andd don't allow downgrade to IKEv1. IKEv1 works as well,
                                              # but IKEv2 has some advantages. Quite new RFC, so be sure 2. Gateway supports it.

/etc/ipsec.secrets

2a01:dead:beef:17e::2 2a01:dead:beef:2dc::2: PSK "somesecretpassword"

You may want to see the SAs being generated while you do ping6/ssh -6/etc. by using:

ip -6 xfrm state|policy|monitor

Download in other formats:

Plain Text