Howto: ipsec tunnel routing both IPv4 and IPv6? Possible?

From: Michael Grimm <trashcan_at_ellael.org>
Date: Mon, 15 Jan 2024 13:09:33 UTC
Hi,

I do use an ipsec tunnel for routing local IPv4 traffic for years now (/etc/rc.conf):

     cloned_interfaces="ipsec0"
     static_routes="tunnel0"
     create_args_ipsec0="reqid 104"
     ifconfig_ipsec0="inet 10.2.2.250 10.1.1.254 tunnel 1.2.3.4 10.20.30.40"
     route_tunnel0="10.1.1.0/24 10.1.1.254"

ifconfig ipsec0 (erelevant info, only):
     ipsec0: flags=1008051<UP,POINTOPOINT,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1400
     tunnel inet 1.2.3.4 --> 10.20.30.40
     inet 10.2.2.250 --> 10.1.1.254 netmask 0xffffff00
     reqid: 104


pf firewall entries are set to allow esp over that tunnel.

Now, I do want to route local IPv6 in addition, *if* that is possible, at all.

According the manual for if_ipsec(0) should that be possible, if I do understand that combination of "IPv4 and IPv6 traffic" and "over either IPv4 or IPv6" correctly (I am not a native English speaker):

https://man.freebsd.org/cgi/man.cgi?query=if_ipsec(4)

     It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 
     and secure it with ESP.

Sadly, that manual page doesn't provide an IPv6 example ...


All of my following attempts failed:

1) adding a second ipsec1 interface connecting the very same IPv4 endpoints:

     cloned_interfaces="ipsec0 ipsec1"
     static_routes="tunnel0 tunnel1"
     create_args_ipsec1="reqid 106"
     ifconfig_ipsec1="inet fd00:b:b:b::250 fd00:a:a:a::254 tunnel 1.2.3.4 10.20.30.40"
     route_tunnel1="fd00:a:a:a::/64 fd00:a:a:a::254"

  Error:

     route: bad address: fd00:a:a:a::

  ifconfig ipsec1:

     ipsec1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1400
     groups: ipsec
     reqid: 106

  Thus, no tunnel and no routing, set.


2) as in 1), besides:

     route_tunnel1="fd00:a:a:a:: prefixlen 64 fd00:a:a:a::254"

   No success, same error regarding route.


3) as in 1), besides:

     ifconfig_ipsec1="inet fd00:b:b:b::250 fd00:a:a:a::254 tunnel 1.2.3.4 10.20.30.40"

   No success, same error regarding route.


4) setting the routing via route command:

     /sbin/route add -inet6 default -gateway fd00:a:a:a::254

   Error:

      add net default: gateway fd00:a:a:a::254 fib 0: Invalid argument


I am running out of ideas, and Google doesn't come up with relevant answers, at least not for me.

Any help, hints, documents are highly appreciated.

Thanks and regards,
Michael