[CentOS] ipsec with ipv4 and ipv6 not working

Thu Feb 10 11:47:08 UTC 2011
Steve Clark <sclark at netwolves.com>

On 02/09/2011 07:14 PM, Michael H. Warfield wrote:
> On Tue, 2011-02-08 at 14:54 -0800, Drew wrote:
>    
>>> I have posted to the ipsec-devel list and haven't gotten any responses. Also I
>>> have spent 2 days googling with
>>> no results about the above setup. Is it even possible to tunnel ipv4 packet thru
>>> an ipv6 ipsec tunnel?
>>>        
>    
>> AFAIK, No.
>>      
> It's probably a major "it depends".
>
>    
>> IPv4&  IPv6 are different protocols so if you want to move IPv6
>> traffic over a IPv4 IPSEC tunnel you need to encapsulate the IPv6
>> payload within IPv4 packets. The reverse is also true of IPv4 over
>> IPv6.
>>      
> 1) That's not true of IPSec tunnels (transport mode is a totally
> different question).  The ESP encapsulation itself contains the IP
> headers can can support it.
>
> 2) IKE, the key exchange and setup daemons, is a different matter.
> AFAIK, it is not possible with IKEv1.  Paul and I discussed that over on
> the Openswan list some time ago.  Basically, you can't negotiate the key
> exchange.  IKEv2 is a different story.  StrongSWAN supports IPv6 over
> IPv4 in an IPSec tunnel.  I'm not currently sure about Openswan or
> Racoon (IPsec Tools).
>
> 3) In the case of IPv4 over IPv4, IPsec itself should handle it.
> Whether the keying daemons currently support the syntax is a question
> and it will most certainly have to be IKEv2.
>
>    
>> This is why tunnel brokers like Freenet6&  Teredo exist, you can't
>> push IPv6 traffic out across an IPv4 only network without tunneling.
>>      
> But, IPsec is a tunnel.  At least is has a "tunnel mode" (and I advise
> against transport mode in any case).
>
> Regards,
> Mike
>    
>    
Thanks for the response Mike.  By creating an ipv6<-.>ipv6 ipsec tunnel 
and then running an ipip6 tunnel
inside of it I can get the ipv4 packets thru no problem. But alas I am 
trying to use ospf and multicast doesn't
seem to work correctly. The multicast ipv4 packets reach the other side, 
i can see them unencrypted Hello packets by tcpdumping
the 4in6 tunnel but ospfd doesn't see them.
-- 
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20110210/0aa8c343/attachment-0005.html>