Hi all,
I’ve just tried to set up an IPSec tunnel between two IPv6 networks, over
IPv6 between the OpenBSD gateways. Isakmpd seems to have set the SAs up, but
traffic is not flowing over the tunnel.
A ipsec.conf:
ike dynamic esp from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 local
2001:470:1f1c:301::2 peer 2001:41c8:11a::1 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid 2001:470:1f1c:301::2 dstid 2001:41c8:11a::1 \
psk secret
B ipsec.conf:
ike dynamic esp from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 local
2001:41c8:11a::1 peer 2001:470:1f1c:301::2 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid 2001:41c8:11a::1 dstid 2001:470:1f1c:301::2 \
psk secret
A ipsecctl -sa:
# ipsecctl -sa
FLOWS:
flow esp in from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 peer
2001:41c8:11a::1 srcid 2001:470:1f1c:301::2/128 dstid 2001:41c8:11a::1/128 type
use
flow esp out from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 peer
2001:41c8:11a::1 srcid 2001:470:1f1c:301::2/128 dstid 2001:41c8:11a::1/128 type
require
SAD:
esp tunnel from 2001:470:1f1c:301::2 to 2001:41c8:11a::1 spi 0x74ed3662 auth
hmac-sha1 enc aes
esp tunnel from 2001:41c8:11a::1 to 2001:470:1f1c:301::2 spi 0x7b1c75cd auth
hmac-sha1 enc aes
B ipsecctl -sa:
FLOWS:
flow esp in from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 peer
2001:470:1f1c:301::2 srcid 2001:41c8:11a::1/128 dstid 2001:470:1f1c:301::2/128
type use
flow esp out from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 peer
2001:470:1f1c:301::2 srcid 2001:41c8:11a::1/128 dstid 2001:470:1f1c:301::2/128
type require
SAD:
esp tunnel from 2001:470:1f1c:301::2 to 2001:41c8:11a::1 spi 0x74ed3662 auth
hmac-sha1 enc aes
esp tunnel from 2001:41c8:11a::1 to 2001:470:1f1c:301::2 spi 0x7b1c75cd auth
hmac-sha1 enc aes
A ping from A to B:
# ping6 2001:41c8:11a:5::1
PING6(56=40+8+8 bytes) 2001:470:1f1c:301::2 --> 2001:41c8:11a:5::1
16 bytes from 2001:41c8:11a:5::1, icmp_seq=0 hlim=57 time=31.905 ms
16 bytes from 2001:41c8:11a:5::1, icmp_seq=1 hlim=57 time=31.843 ms
16 bytes from 2001:41c8:11a:5::1, icmp_seq=2 hlim=57 time=31.709 ms
^C
--- 2001:41c8:11a:5::1 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 31.709/31.819/31.905/0.082 ms
The ping works, but it is *not* going over the tunnel. tcpdump is not showing
the traffic via enc0 or any ESP traffic on the external interface. Traceroute6
also shows all intermediate hops, i.e. no tunnel.
Is it because, being IPv6, the networks on each end can route to each other (as
opposed to on IPv4 normally they are RFC1918 networks) so OpenBSD send the
packets the ‘easy’ route?
-Matt
—
Matt Hamilton
Quernus
m...@quernus.co.uk
+44 117 325 3025
49b Easton Business Centre
Felix Road, Easton
Bristol, BS5 0HE
Quernus Ltd is a company registered in England and Wales. Registered number:
09076246
