This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[ipv6-wg] IPv6 ipsec tunnel server on linux server

Previous message (by thread): [ipv6-wg] IPv6 ipsec tunnel server on linux server
Next message (by thread): [ipv6-wg] IPv6 ipsec tunnel server on linux server

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thomas Schäfer thomas at cis.uni-muenchen.de
Tue Nov 6 15:25:14 CET 2018

Am 05.11.18 um 11:39 schrieb Michael Hock:
> Hello,
>
> I'm trying to set up an ipsec server on a linux machine. The 
> connection between clients and server should be IPv6 only but also 
> needs to transport IPv4 packets.
> However, the linux kernel doesn't seem to support a feature which is 
> required to transport IPv4 packets within an IPv6 ipsec connection, as 
> shown here:
> https://wiki.strongswan.org/issues/939
>
> Does maybe one of you know how to transport IPv4 packets in an IPv6 
> ipsec connection, or do we need to wait for the linux kernel to 
> support this feature? Because this stops me from switching to IPv6 
> ipsec connections and I would like to reduce the usage of IPv4 as much 
> as possible ...
>
I am not sure if I understand you correctly. I am also not very familiar 
with ipsec and with strongswan. They are on my long to do list...for 
rainy days.

I also know there are thousand kinds of "ipsec". I found a very old 
script(2013). Some people told me, this kind of ipsec may be obsoleted 
already. But it makes two things clear to me: you can use ipsec IPv6 as 
transport with payload IPv4 or IPv4/IPv6.


https://gist.github.com/vi/5628320

allows only IPv4-payload, with a little bit rewriting I have got dual 
stack payload over IPv6. (tested between my work place and my home ISP)

I am not sure if it helps you. But I don't see limitations by Linux at 
the moment. (ok, I did not speak about dual stack transport, but in 
worst case you can use different instances for that)


Regards,

Thomas




-------------- next part --------------
--- simplevpn	2013-05-22 17:54:10.000000000 +0200
+++ simplevpn-n	2018-11-06 14:53:13.679887350 +0100
@@ -23,7 +23,7 @@
 
 if [ "$1" == "-6" ]; then
     shift;
-    MODE=ipip6
+    MODE=any
     PROT="-6"
 fi
 
@@ -41,6 +41,8 @@
 
 true ${LOCALIP:="192.168.77.1"}
 true ${REMOTEIP:="192.168.77.2"}
+true ${LOCALIP6:="fd00:1::1"}
+true ${REMOTEIP6:="fd00:1::2"}
 true ${DEVNAME:="simplevpn"}
 
 # 4 is encapsulated IPv4 both in IPv4 an IPv6
@@ -62,7 +64,8 @@
 ip link set $DEVNAME up
 ip -4 addr add $LOCALIP/32 dev $DEVNAME
 ip -4 route add $REMOTEIP/32 dev $DEVNAME
-
+ip -6 addr add $LOCALIP6/128 dev $DEVNAME
+ip -6 route add $REMOTEIP6/128 dev $DEVNAME
 
 "$@" << EOF
     set -e
@@ -85,4 +88,6 @@
     ip link set $DEVNAME up
     ip -4 addr add $REMOTEIP/32 dev $DEVNAME
     ip -4 route add $LOCALIP/32 dev $DEVNAME
+    ip -6 addr add $REMOTEIP6/128 dev $DEVNAME
+    ip -6 route add $LOCALIP6/128 dev $DEVNAME
 EOF
\ Kein Zeilenumbruch am Dateiende.

Previous message (by thread): [ipv6-wg] IPv6 ipsec tunnel server on linux server
Next message (by thread): [ipv6-wg] IPv6 ipsec tunnel server on linux server

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ipv6-wg Archives ]