Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Jan 2024 16:30:18 +0100
From:      Michael Grimm <trashcan@ellael.org>
To:        freebsd-net@freebsd.org
Subject:   Re: Howto: ipsec tunnel routing both IPv4 and IPv6? Possible?
Message-ID:  <210D7B3B-8055-4553-B945-17F196F6C9E0@ellael.org>
In-Reply-To: <AAEFA5B9-614B-4BD9-B734-B004BAFB6C4F@ellael.org>
References:  <33923504-0ECC-46D7-9F6C-91D47CEE4594@ellael.org> <ad871cb9-6226-496b-b936-a41be140a40f@yandex.ru> <9339DE28-07F6-4855-927B-824360603CB2@ellael.org> <36260194-6050-4ed4-a8e2-9697f41b3adf@plan-b.pwste.edu.pl> <AAEFA5B9-614B-4BD9-B734-B004BAFB6C4F@ellael.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

Me wrote:

> On 15. Jan 2024, at 16:15, Michael Grimm <trashcan@ellael.org> wrote:
> 
> Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
>> W dniu 15.01.2024 o 15:35, Michael Grimm pisze:
> 
>>> route_tunnel0="fd00:a:a:a::/64 fd00:a:a:a::254"
> 
>> Please try:
>> route_tunnel0="-6 -net fd00:a:a:a::/64 fd00:a:a:a::254"
> 
> Bingo! That did the trick:
> 
>     Internet6:
>     Destination                       Gateway                       Flags     Netif Expire
>     fd00:a:a:a::/64                   fd00:a:a:a::254               UGS      ipsec0
>     fd00:a:a:a::254                   link#4                        UH       ipsec0
>     fd00:b:b:b::250                   link#3                        UHS         lo0

That has been a bit premature, because now, the IPv4 routing has been lost.

Because when having two identical route_tunnel0= keywords provided, the latter wins.

FTR: Here is the final solution:

/etc/rc.conf:

     cloned_interfaces="ipsec0"
     static_routes="tunnel0 tunnel1"
     create_args_ipsec0="reqid 104"
     ifconfig_ipsec0="inet 10.2.2.250 10.1.1.254 tunnel 1.2.3.4 10.20.30.40"
     ifconfig_ipsec0_ipv6="inet6 fd00:b:b:b::250 fd00:a:a:a::254 prefixlen 128 tunnel 1.2.3.4 10.20.30.40"
     route_tunnel0="10.1.1.0/24 10.1.1.254"
     route_tunnel1="-6 -net fd00:a:a:a::/64 fd00:a:a:a::254"

ifconfig vtnet0:

     vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1490
     tunnel inet 1.2.3.4 --> 10.20.30.40
     inet 10.2.2.250 --> 10.1.1.254 netmask 0xffffff00
     inet6 fd00:b:b:b::250 --> fd00:a:a:a::254 prefixlen 128

netstat -rn:

     Internet:
     Destination        Gateway            Flags     Netif Expire
     10.1.1.0/24        10.1.1.254         UGS      ipsec0
     10.1.1.254         link#4             UH       ipsec0
     10.2.2.250         link#3             UHS         lo0

     Internet6:
     Destination                       Gateway                       Flags     Netif Expire
     fd00:a:a:a::/64                   fd00:a:a:a::254               UGS      ipsec0
     fd00:a:a:a::254                   link#4                        UH       ipsec0
     fd00:b:b:b::250                   link#3                        UHS         lo0


> Thanks to all who helped, and to me: lessons learned ;-)

Yeah,
Michael

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?210D7B3B-8055-4553-B945-17F196F6C9E0>