On Thu, Mar 14, 2019 at 09:06:12PM +0100, Sebastian Benoit wrote: > Claudio Jeker(cje...@diehard.n-r-g.com) on 2019.03.14 11:53:29 +0100: > > On Thu, Mar 14, 2019 at 11:46:10AM +0100, Otto Moerbeek wrote: > > > On Thu, Mar 14, 2019 at 10:43:03AM +0100, Claudio Jeker wrote: > > > > > > > On Thu, Mar 14, 2019 at 10:36:58AM +0100, Otto Moerbeek wrote: > > > > > Hi, > > > > > > > > > > So i have a little IPv6 problem. > > > > > > > > > > I have a machine in colocation that has IPv6. I have my home cable > > > > > modem connection that does not have it. > > > > > > > > > > So I thought: I make my own tunnel. First I tried gif(4), that worked, > > > > > but only after some fighting with mtu settings on all hosts on my home > > > > > net via rad. Performance was kinda bad. So I'm looking for an > > > > > alternative. I thougt: IPSEC should be able to do this. > > > > > > > > > > I have a flow from my locally created IPv6 net to any and vice versa. > > > > > THe flow itself works. > > > > > > > > > > There I ran into the trouble that you cannot specify a default > > > > > gateway, since my remote gw (the host in colo) it is not reachable > > > > > according to route(8). > > > > > > > > > > How does one solve the default route problem? I never really > > > > > understood how routing works in the presense of IPSEC flows. > > > > > > > > > > > > > IPSec flows steal the traffic away before it is being sent out. You > > > > still > > > > need routes in place to get to this point though. In your case adding a > > > > dummy default route should work. Never tried but I think you should be > > > > able to use the loopback for this and add a route like 'route add -inet6 > > > > default ::1' also don't forget to enable net.inet6.ip6.forwarding > > > > > > > > -- > > > > :wq Claudio > > > > > > > > > > Indeed, that seems to work. Thanks, > > > > > > > You may need to use pf to block the routed IPv6 traffic on the loopback > > or you may end up with a routing loop when the IPsec flow is not present. > > You can use a 2nd loopback or maybe even a vether(4) and use the link > > local address as the default gateway then dropping this traffic should be > > trivial. > > Why not "route add -inet6 default ::1 -blackhole" ? >
Because that would drop the packets in the forwarding path before hitting the ipsec code. At least I thought this was the case. If that works even better :) -- :wq Claudio
