Date: Mon, 15 Jan 2024 14:09:33 +0100 From: Michael Grimm <trashcan@ellael.org> To: freebsd-net@freebsd.org Subject: Howto: ipsec tunnel routing both IPv4 and IPv6? Possible? Message-ID: <33923504-0ECC-46D7-9F6C-91D47CEE4594@ellael.org>
next in thread | raw e-mail | index | archive | help
Hi, I do use an ipsec tunnel for routing local IPv4 traffic for years now = (/etc/rc.conf): cloned_interfaces=3D"ipsec0" static_routes=3D"tunnel0" create_args_ipsec0=3D"reqid 104" ifconfig_ipsec0=3D"inet 10.2.2.250 10.1.1.254 tunnel 1.2.3.4 = 10.20.30.40" route_tunnel0=3D"10.1.1.0/24 10.1.1.254" ifconfig ipsec0 (erelevant info, only): ipsec0: flags=3D1008051<UP,POINTOPOINT,RUNNING,MULTICAST,LOWER_UP> = metric 0 mtu 1400 tunnel inet 1.2.3.4 --> 10.20.30.40 inet 10.2.2.250 --> 10.1.1.254 netmask 0xffffff00 reqid: 104 pf firewall entries are set to allow esp over that tunnel. Now, I do want to route local IPv6 in addition, *if* that is possible, = at all. According the manual for if_ipsec(0) should that be possible, if I do = understand that combination of "IPv4 and IPv6 traffic" and "over either = IPv4 or IPv6" correctly (I am not a native English speaker): https://man.freebsd.org/cgi/man.cgi?query=3Dif_ipsec(4) It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6=20 and secure it with ESP. Sadly, that manual page doesn't provide an IPv6 example ... All of my following attempts failed: 1) adding a second ipsec1 interface connecting the very same IPv4 = endpoints: cloned_interfaces=3D"ipsec0 ipsec1" static_routes=3D"tunnel0 tunnel1" create_args_ipsec1=3D"reqid 106" ifconfig_ipsec1=3D"inet fd00:b:b:b::250 fd00:a:a:a::254 tunnel = 1.2.3.4 10.20.30.40" route_tunnel1=3D"fd00:a:a:a::/64 fd00:a:a:a::254" Error: route: bad address: fd00:a:a:a:: ifconfig ipsec1: ipsec1: flags=3D8010<POINTOPOINT,MULTICAST> metric 0 mtu 1400 groups: ipsec reqid: 106 Thus, no tunnel and no routing, set. 2) as in 1), besides: route_tunnel1=3D"fd00:a:a:a:: prefixlen 64 fd00:a:a:a::254" No success, same error regarding route. 3) as in 1), besides: ifconfig_ipsec1=3D"inet fd00:b:b:b::250 fd00:a:a:a::254 tunnel = 1.2.3.4 10.20.30.40" No success, same error regarding route. 4) setting the routing via route command: /sbin/route add -inet6 default -gateway fd00:a:a:a::254 Error: add net default: gateway fd00:a:a:a::254 fib 0: Invalid argument I am running out of ideas, and Google doesn't come up with relevant = answers, at least not for me. Any help, hints, documents are highly appreciated. Thanks and regards, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33923504-0ECC-46D7-9F6C-91D47CEE4594>