On 2010/12/20 19:31, Axel Rau wrote: > > Am 20.12.2010 um 17:23 schrieb Stuart Henderson: > > >OpenBSD's IPsec implementation (like most of the earlier > >implementations) exclusively uses flows rather than route table > >entries. As they aren't in the routing table at all, you can't > >redistribute them from there into routing protocols as you'd > >like to do. > I see. > > > >You could either add a dummy default route (iirc even a blackhole > >route should be fine e.g. route add -inet6 localhost -blackhole) > >and announce that into your routing protocols > I tried this, and it really says no longer "no route" (on the router), > and shows up on the other endpoint as blocked ip6 traffic: > ------- > block in on enc0: p4FF35948.dip.t-dialin.net > foo.bar.blah.net: [|ip6] > (ttl 59, id 13963, len 76) > -------
Increase your snaplen, and you'll see more details which might show you what you need to pass, e.g. tcpdump -nevvipflog0 -s500 > In my pf.conf, I have: "pass in quick on enc0 proto ipencap". > Need I allow something like ip6encap? > As this is an ip6 in ip4 ipsec tunnel, I thought, ipencap would be > enough. > > There is another basic issue: > On my router (at the internal vpn side) I can't ping6 my own ip6 > address (neither link local nor global). > I guess this will be resolved, when I resolve the default route issue? When you ping or connect from the local machine, with ipsec flows, you often need to make sure the correct source address is used. So it might help to do ping6 -S <sourceaddr> <dest>.
