From owner-freebsd-net@freebsd.org  Wed Dec 30 23:27:28 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9441A564C1;
 Wed, 30 Dec 2015 23:27:28 +0000 (UTC)
 (envelope-from trashcan@ellael.org)
Received: from mx2.enfer-du-nord.net (mx2.enfer-du-nord.net [91.121.41.56])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9B35E1646;
 Wed, 30 Dec 2015 23:27:28 +0000 (UTC)
 (envelope-from trashcan@ellael.org)
From: Michael Grimm <trashcan@ellael.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: How to define outgoing IP address? Needed to route local traffic
 through IPSEC tunnel.
Message-Id: <D40A24B1-3B04-4F7D-BE30-B590B08C7E5D@ellael.org>
Date: Thu, 31 Dec 2015 00:27:18 +0100
To: freebsd-net@FreeBSD.org, freebsd-questions <freebsd-questions@freebsd.org>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
X-Virus-Scanned: clamav-milter 0.99 at mail
X-Virus-Status: Clean
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2015 23:27:28 -0000

Hi =E2=80=94

Is there a way to set the default outgoing IPv6 address of a network =
interface? To my understanding the IPv6 address is used that is bound to =
the interface by ifconfig_IFNAME_ipv6, right?

I need to route all my traffic to a remote server via an IPSEC tunnel =
(racoon) that has a setkey.conf as follows:

	spdadd fd00:1234:1234:1234::/64 fd00:abcd:abcd:abcd::/64 any -P =
out ipsec =
esp/tunnel/2001:dead:beaf:aaaa::a-2001:dead:beaf:bbbb::a/require;
	spdadd fd00:abcd:abcd:abcd::/64 fd00:1234:1234:1234::/64 any -P =
in  ipsec =
esp/tunnel/2001:dead:beaf:bbbb::a-2001:dead:beaf:aaaa::a/require;


I can use that tunnel from my jails because they have addresses from the =
fd00:1234:1234:1234::/64 or fd00:abcd:abcd:abcd::/64 address space bound =
to their epairXb interfaces. But, my hosts have addresses from =
2001:dead:beaf:aaaa::/56 or 2001:dead:beaf:bbbb::/56 respectively. And, =
here my tunnel won't work.

I did try to set a local address to ifconfig_IFNAME_ipv6, though. But =
then the host is working, but the jails are failing to route through the =
tunnel.

I did try to add to my setkey.conf:

	spdadd 2001:dead:beaf:aaaa::/56 fd00:abcd:abcd:abcd::/64 any -P =
out ipsec =
esp/tunnel/2001:dead:beaf:aaaa::a-2001:dead:beaf:bbbb::a/require;
	spdadd 2001:dead:beaf:bbbb::/56 fd00:1234:1234:1234::/64 any -P =
in  ipsec =
esp/tunnel/2001:dead:beaf:bbbb::a-2001:dead:beaf:aaaa::a/require;

But that doesn't work either.

Every help is highly welcome and thanks in advance.

Regards,
Michael