Nevermind! Worked it out⦠I spotted that the pings I were doing from the gateways were using the source address of the external interface, which was not part of the SA.
explicitly adding the source address of the *internal* interface means it now looks good: # traceroute6 -s 2001:470:1f1d:301::1 2001:41c8:11a:5::1 traceroute6 to 2001:41c8:11a:5::1 (2001:41c8:11a:5::1) from 2001:470:1f1d:301::1, 64 hops max, 60 byte packets 1 2001:41c8:11a:5::1 (2001:41c8:11a:5::1) 32.884 ms 32.795 ms 32.316 ms # -Matt > On 23 Sep 2015, at 22:31, Matt Hamilton <m...@quernus.co.uk> wrote: > > Hi all, > Iâve just tried to set up an IPSec tunnel between two IPv6 networks, over IPv6 between the OpenBSD gateways. Isakmpd seems to have set the SAs up, but traffic is not flowing over the tunnel. > > A ipsec.conf: > > ike dynamic esp from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 local 2001:470:1f1c:301::2 peer 2001:41c8:11a::1 \ > main auth hmac-sha1 enc aes group modp1024 \ > quick auth hmac-sha1 enc aes \ > srcid 2001:470:1f1c:301::2 dstid 2001:41c8:11a::1 \ > psk secret > > B ipsec.conf: > > ike dynamic esp from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 local 2001:41c8:11a::1 peer 2001:470:1f1c:301::2 \ > main auth hmac-sha1 enc aes group modp1024 \ > quick auth hmac-sha1 enc aes \ > srcid 2001:41c8:11a::1 dstid 2001:470:1f1c:301::2 \ > psk secret > > A ipsecctl -sa: > > # ipsecctl -sa > FLOWS: > flow esp in from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 peer 2001:41c8:11a::1 srcid 2001:470:1f1c:301::2/128 dstid 2001:41c8:11a::1/128 type use > flow esp out from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 peer 2001:41c8:11a::1 srcid 2001:470:1f1c:301::2/128 dstid 2001:41c8:11a::1/128 type require > > SAD: > esp tunnel from 2001:470:1f1c:301::2 to 2001:41c8:11a::1 spi 0x74ed3662 auth hmac-sha1 enc aes > esp tunnel from 2001:41c8:11a::1 to 2001:470:1f1c:301::2 spi 0x7b1c75cd auth hmac-sha1 enc aes > > B ipsecctl -sa: > > FLOWS: > flow esp in from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 peer 2001:470:1f1c:301::2 srcid 2001:41c8:11a::1/128 dstid 2001:470:1f1c:301::2/128 type use > flow esp out from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 peer 2001:470:1f1c:301::2 srcid 2001:41c8:11a::1/128 dstid 2001:470:1f1c:301::2/128 type require > > SAD: > esp tunnel from 2001:470:1f1c:301::2 to 2001:41c8:11a::1 spi 0x74ed3662 auth hmac-sha1 enc aes > esp tunnel from 2001:41c8:11a::1 to 2001:470:1f1c:301::2 spi 0x7b1c75cd auth hmac-sha1 enc aes > > > A ping from A to B: > # ping6 2001:41c8:11a:5::1 > PING6(56=40+8+8 bytes) 2001:470:1f1c:301::2 --> 2001:41c8:11a:5::1 > 16 bytes from 2001:41c8:11a:5::1, icmp_seq=0 hlim=57 time=31.905 ms > 16 bytes from 2001:41c8:11a:5::1, icmp_seq=1 hlim=57 time=31.843 ms > 16 bytes from 2001:41c8:11a:5::1, icmp_seq=2 hlim=57 time=31.709 ms > ^C > --- 2001:41c8:11a:5::1 ping6 statistics --- > 3 packets transmitted, 3 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 31.709/31.819/31.905/0.082 ms > > The ping works, but it is *not* going over the tunnel. tcpdump is not showing the traffic via enc0 or any ESP traffic on the external interface. Traceroute6 also shows all intermediate hops, i.e. no tunnel. > > Is it because, being IPv6, the networks on each end can route to each other (as opposed to on IPv4 normally they are RFC1918 networks) so OpenBSD send the packets the âeasyâ route? > > -Matt > > â > Matt Hamilton > Quernus > m...@quernus.co.uk > +44 117 325 3025 > 49b Easton Business Centre > Felix Road, Easton > Bristol, BS5 0HE > > Quernus Ltd is a company registered in England and Wales. Registered number: 09076246 > â Matt Hamilton Quernus m...@quernus.co.uk +44 117 325 3025 49b Easton Business Centre Felix Road, Easton Bristol, BS5 0HE Quernus Ltd is a company registered in England and Wales. Registered number: 09076246
