Tunneling IPv4 over IPv6 VPN

Fri Feb 1 09:59:02 UTC 2013

Hi everyone!

I am trying to tunnel IPv4 traffic over an IPv6 VPN. So far it is unsuccessful.

Both machines are running FreeBSD 9.1-RELEASE. They are acting as
gateways and they both have assigned /64 IPv6 subnets. The purpose is
to encapsulate the non routable IPv4 traffic behind those gateways
into the IPv6 VPN.

For the sake of simplicity I will present the configuration of the
first machine. The second has exactly the reverse. (Kernels are
compiled with IPsec)

#ifconfig gif0 create
#ifconfig gif0 ipv6 tunnel xxxx:fc50:1001:5f00::86 xxxx:580:8f00:2c00::2093
#ifconfig gif0 alias 10.10.10.4 10.1.1.3

The tunnel comes up, machine a can ping machine b and vice versa.

> ping 10.1.1.3
PING 10.1.1.3 (10.1.1.3): 56 data bytes
64 bytes from 10.1.1.3: icmp_seq=0 ttl=64 time=187.772 ms
64 bytes from 10.1.1.3: icmp_seq=1 ttl=64 time=184.516 ms
64 bytes from 10.1.1.3: icmp_seq=2 ttl=64 time=185.563 ms

ipsec-tools comes in to create the actual IPsec connection.

setkey.conf:

flush;
spdflush;
spdadd 10.1.1.0/24 10.10.10.0/24 any -P out ipsec
esp/tunnel/xxxx:fc50:1001:5f00::86-xxxx:580:8f00:2c00::2093/use;
spdadd 10.10.10.0/24 10.1.1.0/24 any -P in ipsec
esp/tunnel/xxxx:580:8f00:2c00::2093-xxxx:fc50:1001:5f00::86/use;

racoon.conf:

path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;

padding # options are not to be changed
{
maximum_length 20; # maximum padding length
randomize off; # enable randomize length
strict_check off; # enable strict check
exclusive_tail off; # extract last one octet
}

listen # address [port] that racoon will listening on
{
isakmp xxxx:580:8f00:2c00::2093 [500];
}

timer # timing options. change as needed
{
counter 5; # maximum trying count to send
interval 20 sec; # maximum interval to resend
persend 1; # the number of packets per a send
phase1 60 sec;
phase2 25 sec;
}

remote xxxx:fc50:1001:5f00::86 [500]
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
lifetime time 8 hour;
initial_contact on;
passive off;
proposal_check obey;
generate_policy off;

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}

}

sainfo anonymous
{
pfs_group 5;
lifetime time 12 hour ;
encryption_algorithm blowfish,3des,des;
# authentication_algorithm hmac_md5,hmac_sha1;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}

Once the IPsec is established:

2013-01-31 18:02:20: DEBUG: KEYMAT computed.
2013-01-31 18:02:20: DEBUG: call pk_sendupdate
2013-01-31 18:02:20: DEBUG: encryption(blowfish)
2013-01-31 18:02:20: DEBUG: hmac(sha1)
2013-01-31 18:02:20: DEBUG: call pfkey_send_update2
2013-01-31 18:02:20: DEBUG: pfkey update sent.
2013-01-31 18:02:20: DEBUG: encryption(blowfish)
2013-01-31 18:02:20: DEBUG: hmac(sha1)
2013-01-31 18:02:20: DEBUG: call pfkey_send_add2 (NAT flavor)
2013-01-31 18:02:20: DEBUG: call pfkey_send_add2
2013-01-31 18:02:20: DEBUG: pfkey add sent.
2013-01-31 18:02:20: DEBUG: pk_recv: retry[0] recv()
2013-01-31 18:02:20: DEBUG: got pfkey UPDATE message
2013-01-31 18:02:20: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel
xxxx:580:8f00:2c00::2093[500]->
xxxx:fc50:1001:5f00::86[500] spi=15238148(0xe88404)
2013-01-31 18:02:20: INFO: IPsec-SA established: ESP/Tunnel
xxxx:580:8f00:2c00::2093[500]->
xxxx:fc50:1001:5f00::86[500] spi=15238148(0xe88404)
2013-01-31 18:02:20: DEBUG: ===
2013-01-31 18:02:20: DEBUG: pk_recv: retry[0] recv()
2013-01-31 18:02:20: DEBUG: got pfkey ADD message
2013-01-31 18:02:20: INFO: IPsec-SA established: ESP/Tunnel
xxxx:580:8f00:2c00::2093[500]->
xxxx:fc50:1001:5f00::86[500] spi=109946295(0x68da5b7)
2013-01-31 18:02:20: DEBUG: ===

I can only ping the IPv6 endpoints. The IPv4 simply time outs. I run a
tcpdump but didn't see anything that it could assist me. I suspect
that my problem is in the spd policies. I also run into an older PR
(http://www.freebsd.org/cgi/query-pr.cgi?pr=169438&cat=) which looks
similar. The ipsec_output.c though seems different in that part.

Any help will be appreciated!

Thanks

--
George Kontostanos
---
http://www.aisecure.net