Date: Mon, 15 Jan 2024 14:09:33 +0100 From: Michael Grimm <trashcan@ellael.org> To: freebsd-net@freebsd.org Subject: Howto: ipsec tunnel routing both IPv4 and IPv6? Possible? Message-ID: <33923504-0ECC-46D7-9F6C-91D47CEE4594@ellael.org>
next in thread | raw e-mail | index | archive | help
Hi,
I do use an ipsec tunnel for routing local IPv4 traffic for years now =
(/etc/rc.conf):
cloned_interfaces=3D"ipsec0"
static_routes=3D"tunnel0"
create_args_ipsec0=3D"reqid 104"
ifconfig_ipsec0=3D"inet 10.2.2.250 10.1.1.254 tunnel 1.2.3.4 =
10.20.30.40"
route_tunnel0=3D"10.1.1.0/24 10.1.1.254"
ifconfig ipsec0 (erelevant info, only):
ipsec0: flags=3D1008051<UP,POINTOPOINT,RUNNING,MULTICAST,LOWER_UP> =
metric 0 mtu 1400
tunnel inet 1.2.3.4 --> 10.20.30.40
inet 10.2.2.250 --> 10.1.1.254 netmask 0xffffff00
reqid: 104
pf firewall entries are set to allow esp over that tunnel.
Now, I do want to route local IPv6 in addition, *if* that is possible, =
at all.
According the manual for if_ipsec(0) should that be possible, if I do =
understand that combination of "IPv4 and IPv6 traffic" and "over either =
IPv4 or IPv6" correctly (I am not a native English speaker):
https://man.freebsd.org/cgi/man.cgi?query=3Dif_ipsec(4)
It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6=20
and secure it with ESP.
Sadly, that manual page doesn't provide an IPv6 example ...
All of my following attempts failed:
1) adding a second ipsec1 interface connecting the very same IPv4 =
endpoints:
cloned_interfaces=3D"ipsec0 ipsec1"
static_routes=3D"tunnel0 tunnel1"
create_args_ipsec1=3D"reqid 106"
ifconfig_ipsec1=3D"inet fd00:b:b:b::250 fd00:a:a:a::254 tunnel =
1.2.3.4 10.20.30.40"
route_tunnel1=3D"fd00:a:a:a::/64 fd00:a:a:a::254"
Error:
route: bad address: fd00:a:a:a::
ifconfig ipsec1:
ipsec1: flags=3D8010<POINTOPOINT,MULTICAST> metric 0 mtu 1400
groups: ipsec
reqid: 106
Thus, no tunnel and no routing, set.
2) as in 1), besides:
route_tunnel1=3D"fd00:a:a:a:: prefixlen 64 fd00:a:a:a::254"
No success, same error regarding route.
3) as in 1), besides:
ifconfig_ipsec1=3D"inet fd00:b:b:b::250 fd00:a:a:a::254 tunnel =
1.2.3.4 10.20.30.40"
No success, same error regarding route.
4) setting the routing via route command:
/sbin/route add -inet6 default -gateway fd00:a:a:a::254
Error:
add net default: gateway fd00:a:a:a::254 fib 0: Invalid argument
I am running out of ideas, and Google doesn't come up with relevant =
answers, at least not for me.
Any help, hints, documents are highly appreciated.
Thanks and regards,
Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33923504-0ECC-46D7-9F6C-91D47CEE4594>