On Thu, Mar 14, 2019 at 11:46:10AM +0100, Otto Moerbeek wrote: > On Thu, Mar 14, 2019 at 10:43:03AM +0100, Claudio Jeker wrote: > > > On Thu, Mar 14, 2019 at 10:36:58AM +0100, Otto Moerbeek wrote: > > > Hi, > > > > > > So i have a little IPv6 problem. > > > > > > I have a machine in colocation that has IPv6. I have my home cable > > > modem connection that does not have it. > > > > > > So I thought: I make my own tunnel. First I tried gif(4), that worked, > > > but only after some fighting with mtu settings on all hosts on my home > > > net via rad. Performance was kinda bad. So I'm looking for an > > > alternative. I thougt: IPSEC should be able to do this. > > > > > > I have a flow from my locally created IPv6 net to any and vice versa. > > > THe flow itself works. > > > > > > There I ran into the trouble that you cannot specify a default > > > gateway, since my remote gw (the host in colo) it is not reachable > > > according to route(8). > > > > > > How does one solve the default route problem? I never really > > > understood how routing works in the presense of IPSEC flows. > > > > > > > IPSec flows steal the traffic away before it is being sent out. You still > > need routes in place to get to this point though. In your case adding a > > dummy default route should work. Never tried but I think you should be > > able to use the loopback for this and add a route like 'route add -inet6 > > default ::1' also don't forget to enable net.inet6.ip6.forwarding > > > > -- > > :wq Claudio > > > > Indeed, that seems to work. Thanks, >
You may need to use pf to block the routed IPv6 traffic on the loopback or you may end up with a routing loop when the IPsec flow is not present. You can use a 2nd loopback or maybe even a vether(4) and use the link local address as the default gateway then dropping this traffic should be trivial. -- :wq Claudio