On 02/09/2011 07:14 PM, Michael H. Warfield wrote:
On Tue, 2011-02-08 at 14:54 -0800, Drew wrote:
I have posted to the ipsec-devel list and haven't gotten any responses. Also I have spent 2 days googling with no results about the above setup. Is it even possible to tunnel ipv4 packet thru an ipv6 ipsec tunnel?
AFAIK, No.
It's probably a major "it depends".
IPv4& IPv6 are different protocols so if you want to move IPv6 traffic over a IPv4 IPSEC tunnel you need to encapsulate the IPv6 payload within IPv4 packets. The reverse is also true of IPv4 over IPv6.
- That's not true of IPSec tunnels (transport mode is a totally
different question). The ESP encapsulation itself contains the IP headers can can support it.
- IKE, the key exchange and setup daemons, is a different matter.
AFAIK, it is not possible with IKEv1. Paul and I discussed that over on the Openswan list some time ago. Basically, you can't negotiate the key exchange. IKEv2 is a different story. StrongSWAN supports IPv6 over IPv4 in an IPSec tunnel. I'm not currently sure about Openswan or Racoon (IPsec Tools).
- In the case of IPv4 over IPv4, IPsec itself should handle it.
Whether the keying daemons currently support the syntax is a question and it will most certainly have to be IKEv2.
This is why tunnel brokers like Freenet6& Teredo exist, you can't push IPv6 traffic out across an IPv4 only network without tunneling.
But, IPsec is a tunnel. At least is has a "tunnel mode" (and I advise against transport mode in any case).
Regards, Mike
Thanks for the response Mike. By creating an ipv6<-.>ipv6 ipsec tunnel and then running an ipip6 tunnel inside of it I can get the ipv4 packets thru no problem. But alas I am trying to use ospf and multicast doesn't seem to work correctly. The multicast ipv4 packets reach the other side, i can see them unencrypted Hello packets by tcpdumping the 4in6 tunnel but ospfd doesn't see them.