Date: Wed, 13 Feb 2013 01:38:13 -0500 From: "xenophon\\+freebsd" <xenophon+freebsd@irtnog.org> To: <freebsd-net@freebsd.org> Subject: IPv6 over an IPsec tunnel Message-ID: <BABF8C57A778F04791343E5601659908236D56@cinip100ntsbs.irtnog.net>
next in thread | raw e-mail | index | archive | help
I'm trying to run an IPsec tunnel between a Linux router and a FreeBSD router, but the FreeBSD router isn't passing any of the IPv6 traffic (IPv4 works perfectly). I have the following in /etc/ipsec.conf: spdadd 10.1.0.0/21 10.2.2.0/24 any -P out ipsec esp/tunnel/192.0.2.1-192.0.2.2/require ; spdadd 10.2.2.0/24 10.1.0.0/21 any -P in ipsec esp/tunnel/192.0.2.2-192.0.2.1/require ; spdadd 2001:1:1::/48 2001:2:2:2::/64 any -P out ipsec esp/tunnel/192.0.2.1-192.0.2.2/require ; spdadd 2001:2:2:2::/64 2001:1:1::/48 any -P in ipsec esp/tunnel/192.0.2.2-192.0.2.1/require ; When I try to ping an IPv6 host through the tunnel in either direction, I'm seeing the packet on the FreeBSD router's enc0 device, but I get the following error on the FreeBSD router's console: ipsec6_output_tunnel: family mismatched between inner and outer, spi=3D49961579 ip6_output (ipsec): error code 47 I found the error message in src/sys/netipsec/ipsec_output.c (r245225, line 833). I guess that I assumed that one could tunnel IPv6 over an IPv4 IPsec tunnel. Is this not the case? Will I have to encapsulate the IPv6 traffic in an IPIP or GRE tunnel? I don't want to build an IPv6 IPsec tunnel, because I connect to the IPv6 Internet through a tunnel broker. The latency and encapsulation overhead would be too much for my purposes. I noticed a PR by someone who got the same error message: http://www.freebsd.org/cgi/query-pr.cgi?pr=3D147894&cat=3Dkern --=20 I FIGHT FOR THE USERS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BABF8C57A778F04791343E5601659908236D56>