Hello,
How do I find out what is happening to my packets thru my ipsec tunnel. They just seem to disappear on the remote side.
I have successfully got the pings thru when everything has an ipv6 address, but am not successful when trying to connect two ipv4 lans across an ipv6 ipsec tunnel. All fw chains both 4 and 6 are set to ACCEPT. NAT is turned off.
eth0 eth1 eth1 eth0 10.1.254.254/17 2001:xxxx:1628::254 <----ipv6 internet -----> 2001:xxxx:e334::254 10.0.254.254/17
12:00:02.296972 IP6 2001:xxxx:1628::254 > 2001:xxxx:e334::254: ESP(spi=0x07454bc3,seq=0x28b), length 132 12:00:03.308751 IP6 2001:xxxx:1628::254 > 2001:xxxx:e334::254: ESP(spi=0x07454bc3,seq=0x28c), length 132 12:00:04.296857 IP6 2001:xxxx:1628::254 > 2001:xxxx:e334::254: ESP(spi=0x07454bc3,seq=0x28d), length 132 12:00:05.293748 IP6 2001:xxxx:1628::254 > 2001:xxxx:e334::254: ESP(spi=0x07454bc3,seq=0x28e), length 132 12:00:06.296623 IP6 2001:xxxx:1628::254 > 2001:xxxx:e334::254: ESP(spi=0x07454bc3,seq=0x28f), length 132
I have posted to the ipsec-devel list and haven't gotten any responses. Also I have spent 2 days googling with no results about the above setup. Is it even possible to tunnel ipv4 packet thru an ipv6 ipsec tunnel?
Thanks, Steve
I have posted to the ipsec-devel list and haven't gotten any responses. Also I have spent 2 days googling with no results about the above setup. Is it even possible to tunnel ipv4 packet thru an ipv6 ipsec tunnel?
AFAIK, No.
IPv4 & IPv6 are different protocols so if you want to move IPv6 traffic over a IPv4 IPSEC tunnel you need to encapsulate the IPv6 payload within IPv4 packets. The reverse is also true of IPv4 over IPv6.
This is why tunnel brokers like Freenet6 & Teredo exist, you can't push IPv6 traffic out across an IPv4 only network without tunneling.
On 02/08/2011 05:54 PM, Drew wrote:
I have posted to the ipsec-devel list and haven't gotten any responses. Also I have spent 2 days googling with no results about the above setup. Is it even possible to tunnel ipv4 packet thru an ipv6 ipsec tunnel?
AFAIK, No.
IPv4& IPv6 are different protocols so if you want to move IPv6 traffic over a IPv4 IPSEC tunnel you need to encapsulate the IPv6 payload within IPv4 packets. The reverse is also true of IPv4 over IPv6.
This is why tunnel brokers like Freenet6& Teredo exist, you can't push IPv6 traffic out across an IPv4 only network without tunneling.
Hi Drew,
Thanks for taking the time to respond. I understand they are different. I want to tunnel ipv4 in a ipv6 ipsec tunnel. Ipsec-tools lets me configure the tunnels and establishes the SAs but packets get dropped on the receiving side. I am able to create a 4in6 tunnel that ride inside a strict ipv6 ipsec tunnel so I have a work around.
I am mainly trying to see if anyone has gotten what I described in my initial post to work.
On Tue, 2011-02-08 at 14:54 -0800, Drew wrote:
I have posted to the ipsec-devel list and haven't gotten any responses. Also I have spent 2 days googling with no results about the above setup. Is it even possible to tunnel ipv4 packet thru an ipv6 ipsec tunnel?
AFAIK, No.
It's probably a major "it depends".
IPv4 & IPv6 are different protocols so if you want to move IPv6 traffic over a IPv4 IPSEC tunnel you need to encapsulate the IPv6 payload within IPv4 packets. The reverse is also true of IPv4 over IPv6.
1) That's not true of IPSec tunnels (transport mode is a totally different question). The ESP encapsulation itself contains the IP headers can can support it.
2) IKE, the key exchange and setup daemons, is a different matter. AFAIK, it is not possible with IKEv1. Paul and I discussed that over on the Openswan list some time ago. Basically, you can't negotiate the key exchange. IKEv2 is a different story. StrongSWAN supports IPv6 over IPv4 in an IPSec tunnel. I'm not currently sure about Openswan or Racoon (IPsec Tools).
3) In the case of IPv4 over IPv4, IPsec itself should handle it. Whether the keying daemons currently support the syntax is a question and it will most certainly have to be IKEv2.
This is why tunnel brokers like Freenet6 & Teredo exist, you can't push IPv6 traffic out across an IPv4 only network without tunneling.
But, IPsec is a tunnel. At least is has a "tunnel mode" (and I advise against transport mode in any case).
Regards, Mike
On 02/09/2011 07:14 PM, Michael H. Warfield wrote:
On Tue, 2011-02-08 at 14:54 -0800, Drew wrote:
I have posted to the ipsec-devel list and haven't gotten any responses. Also I have spent 2 days googling with no results about the above setup. Is it even possible to tunnel ipv4 packet thru an ipv6 ipsec tunnel?
AFAIK, No.
It's probably a major "it depends".
IPv4& IPv6 are different protocols so if you want to move IPv6 traffic over a IPv4 IPSEC tunnel you need to encapsulate the IPv6 payload within IPv4 packets. The reverse is also true of IPv4 over IPv6.
- That's not true of IPSec tunnels (transport mode is a totally
different question). The ESP encapsulation itself contains the IP headers can can support it.
- IKE, the key exchange and setup daemons, is a different matter.
AFAIK, it is not possible with IKEv1. Paul and I discussed that over on the Openswan list some time ago. Basically, you can't negotiate the key exchange. IKEv2 is a different story. StrongSWAN supports IPv6 over IPv4 in an IPSec tunnel. I'm not currently sure about Openswan or Racoon (IPsec Tools).
- In the case of IPv4 over IPv4, IPsec itself should handle it.
Whether the keying daemons currently support the syntax is a question and it will most certainly have to be IKEv2.
This is why tunnel brokers like Freenet6& Teredo exist, you can't push IPv6 traffic out across an IPv4 only network without tunneling.
But, IPsec is a tunnel. At least is has a "tunnel mode" (and I advise against transport mode in any case).
Regards, Mike
Thanks for the response Mike. By creating an ipv6<-.>ipv6 ipsec tunnel and then running an ipip6 tunnel inside of it I can get the ipv4 packets thru no problem. But alas I am trying to use ospf and multicast doesn't seem to work correctly. The multicast ipv4 packets reach the other side, i can see them unencrypted Hello packets by tcpdumping the 4in6 tunnel but ospfd doesn't see them.
-
Drew -
Michael H. Warfield -
Steve Clark