IPv6 over an IPsec tunnel
xenophon\+freebsd
xenophon+freebsd at irtnog.org
Wed Feb 13 06:45:38 UTC 2013
I'm trying to run an IPsec tunnel between a Linux router and a FreeBSD
router, but the FreeBSD router isn't passing any of the IPv6 traffic
(IPv4 works perfectly). I have the following in /etc/ipsec.conf:
spdadd 10.1.0.0/21 10.2.2.0/24 any -P out ipsec
esp/tunnel/192.0.2.1-192.0.2.2/require ;
spdadd 10.2.2.0/24 10.1.0.0/21 any -P in ipsec
esp/tunnel/192.0.2.2-192.0.2.1/require ;
spdadd 2001:1:1::/48 2001:2:2:2::/64 any -P out ipsec
esp/tunnel/192.0.2.1-192.0.2.2/require ;
spdadd 2001:2:2:2::/64 2001:1:1::/48 any -P in ipsec
esp/tunnel/192.0.2.2-192.0.2.1/require ;
When I try to ping an IPv6 host through the tunnel in either direction,
I'm seeing the packet on the FreeBSD router's enc0 device, but I get the
following error on the FreeBSD router's console:
ipsec6_output_tunnel: family mismatched between inner and outer,
spi=49961579
ip6_output (ipsec): error code 47
I found the error message in src/sys/netipsec/ipsec_output.c (r245225,
line 833). I guess that I assumed that one could tunnel IPv6 over an
IPv4 IPsec tunnel. Is this not the case? Will I have to encapsulate
the IPv6 traffic in an IPIP or GRE tunnel? I don't want to build an
IPv6 IPsec tunnel, because I connect to the IPv6 Internet through a
tunnel broker. The latency and encapsulation overhead would be too much
for my purposes.
I noticed a PR by someone who got the same error message:
http://www.freebsd.org/cgi/query-pr.cgi?pr=147894&cat=kern
--
I FIGHT FOR THE USERS
More information about the freebsd-net
mailing list