From owner-freebsd-net@FreeBSD.ORG Wed Feb 13 06:45:38 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4C620F4B for ; Wed, 13 Feb 2013 06:45:38 +0000 (UTC) (envelope-from xenophon+freebsd@irtnog.org) Received: from mx1.irtnog.org (rrcs-24-123-13-61.central.biz.rr.com [24.123.13.61]) by mx1.freebsd.org (Postfix) with ESMTP id 0017ADE2 for ; Wed, 13 Feb 2013 06:45:37 +0000 (UTC) Received: from cinep001bsdgw.irtnog.net (localhost [127.0.0.1]) by mx1.irtnog.org (Postfix) with ESMTP id 6228B1C548 for ; Wed, 13 Feb 2013 01:38:23 -0500 (EST) X-Virus-Scanned: amavisd-new at irtnog.org Received: from mx1.irtnog.org ([127.0.0.1]) by cinep001bsdgw.irtnog.net (mx1.irtnog.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ynm-Czra8FfS for ; Wed, 13 Feb 2013 01:38:16 -0500 (EST) Received: from cinip100ntsbs.irtnog.net (cinip100ntsbs.irtnog.net [10.63.1.100]) by mx1.irtnog.org (Postfix) with ESMTP for ; Wed, 13 Feb 2013 01:38:16 -0500 (EST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: IPv6 over an IPsec tunnel X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Wed, 13 Feb 2013 01:38:13 -0500 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPv6 over an IPsec tunnel Thread-Index: Ac4JsnROTrm8ukUmSYyS4H7o53OXvg== From: "xenophon\\+freebsd" To: X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 06:45:38 -0000 I'm trying to run an IPsec tunnel between a Linux router and a FreeBSD router, but the FreeBSD router isn't passing any of the IPv6 traffic (IPv4 works perfectly). I have the following in /etc/ipsec.conf: spdadd 10.1.0.0/21 10.2.2.0/24 any -P out ipsec esp/tunnel/192.0.2.1-192.0.2.2/require ; spdadd 10.2.2.0/24 10.1.0.0/21 any -P in ipsec esp/tunnel/192.0.2.2-192.0.2.1/require ; spdadd 2001:1:1::/48 2001:2:2:2::/64 any -P out ipsec esp/tunnel/192.0.2.1-192.0.2.2/require ; spdadd 2001:2:2:2::/64 2001:1:1::/48 any -P in ipsec esp/tunnel/192.0.2.2-192.0.2.1/require ; When I try to ping an IPv6 host through the tunnel in either direction, I'm seeing the packet on the FreeBSD router's enc0 device, but I get the following error on the FreeBSD router's console: ipsec6_output_tunnel: family mismatched between inner and outer, spi=3D49961579 ip6_output (ipsec): error code 47 I found the error message in src/sys/netipsec/ipsec_output.c (r245225, line 833). I guess that I assumed that one could tunnel IPv6 over an IPv4 IPsec tunnel. Is this not the case? Will I have to encapsulate the IPv6 traffic in an IPIP or GRE tunnel? I don't want to build an IPv6 IPsec tunnel, because I connect to the IPv6 Internet through a tunnel broker. The latency and encapsulation overhead would be too much for my purposes. I noticed a PR by someone who got the same error message: http://www.freebsd.org/cgi/query-pr.cgi?pr=3D147894&cat=3Dkern --=20 I FIGHT FOR THE USERS