FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-08-2011, 11:12 AM
Steve Clark
 
Default ipsec with ipv4 and ipv6 not working

Hello,

How do I find out what is happening to my packets thru my ipsec tunnel.
They just seem to disappear on the remote side.

I have successfully got the pings thru
when everything has an ipv6 address, but am not successful when trying
to connect two ipv4 lans across an ipv6 ipsec tunnel. All fw chains both 4 and 6
are set to ACCEPT. NAT is turned off.

eth0 eth1 eth1
eth0
10.1.254.254/17 2001:xxxx:1628::254 <----ipv6 internet ----->
2001:xxxx:e334::254 10.0.254.254/17

12:00:02.296972 IP6 2001:xxxx:1628::254 > 2001:xxxx:e334::254:
ESP(spi=0x07454bc3,seq=0x28b), length 132
12:00:03.308751 IP6 2001:xxxx:1628::254 > 2001:xxxx:e334::254:
ESP(spi=0x07454bc3,seq=0x28c), length 132
12:00:04.296857 IP6 2001:xxxx:1628::254 > 2001:xxxx:e334::254:
ESP(spi=0x07454bc3,seq=0x28d), length 132
12:00:05.293748 IP6 2001:xxxx:1628::254 > 2001:xxxx:e334::254:
ESP(spi=0x07454bc3,seq=0x28e), length 132
12:00:06.296623 IP6 2001:xxxx:1628::254 > 2001:xxxx:e334::254:
ESP(spi=0x07454bc3,seq=0x28f), length 132

I have posted to the ipsec-devel list and haven't gotten any responses. Also I
have spent 2 days googling with
no results about the above setup. Is it even possible to tunnel ipv4 packet thru
an ipv6 ipsec tunnel?

Thanks,
Steve

--

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-08-2011, 09:54 PM
Drew
 
Default ipsec with ipv4 and ipv6 not working

> I have posted to the ipsec-devel list and haven't gotten any responses. Also I
> have spent 2 days googling with
> no results about the above setup. Is it even possible to tunnel ipv4 packet thru
> an ipv6 ipsec tunnel?

AFAIK, No.

IPv4 & IPv6 are different protocols so if you want to move IPv6
traffic over a IPv4 IPSEC tunnel you need to encapsulate the IPv6
payload within IPv4 packets. The reverse is also true of IPv4 over
IPv6.

This is why tunnel brokers like Freenet6 & Teredo exist, you can't
push IPv6 traffic out across an IPv4 only network without tunneling.


--
Drew

"Nothing in life is to be feared. It is only to be understood."
--Marie Curie
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-09-2011, 10:47 AM
Steve Clark
 
Default ipsec with ipv4 and ipv6 not working

On 02/08/2011 05:54 PM, Drew wrote:


I have posted to the ipsec-devel list and haven't gotten any responses. Also I
have spent 2 days googling with
no results about the above setup. Is it even possible to tunnel ipv4 packet thru
an ipv6 ipsec tunnel?



AFAIK, No.

IPv4 & IPv6 are different protocols so if you want to move IPv6
traffic over a IPv4 IPSEC tunnel you need to encapsulate the IPv6
payload within IPv4 packets. The reverse is also true of IPv4 over
IPv6.

This is why tunnel brokers like Freenet6 & Teredo exist, you can't
push IPv6 traffic out across an IPv4 only network without tunneling.




Hi Drew,



Thanks for taking the time to respond. I understand they are different.
I want to

tunnel ipv4 in a ipv6 ipsec tunnel. Ipsec-tools lets me configure the
tunnels and

establishes the SAs but packets get dropped on the receiving side. I am
able to

create a 4in6 tunnel that ride inside a strict ipv6 ipsec tunnel so I
have a work around.



I am mainly trying to see if anyone has gotten what I described in my
initial post to work.



--

Stephen*Clark

NetWolves

Sr.*Software*Engineer*III

Phone:*813-579-3200

Fax:*813-882-0209

Email:*steve.clark@netwolves.com

http://www.netwolves.com




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-09-2011, 11:14 PM
"Michael H. Warfield"
 
Default ipsec with ipv4 and ipv6 not working

On Tue, 2011-02-08 at 14:54 -0800, Drew wrote:
> > I have posted to the ipsec-devel list and haven't gotten any responses. Also I
> > have spent 2 days googling with
> > no results about the above setup. Is it even possible to tunnel ipv4 packet thru
> > an ipv6 ipsec tunnel?

> AFAIK, No.

It's probably a major "it depends".

> IPv4 & IPv6 are different protocols so if you want to move IPv6
> traffic over a IPv4 IPSEC tunnel you need to encapsulate the IPv6
> payload within IPv4 packets. The reverse is also true of IPv4 over
> IPv6.

1) That's not true of IPSec tunnels (transport mode is a totally
different question). The ESP encapsulation itself contains the IP
headers can can support it.

2) IKE, the key exchange and setup daemons, is a different matter.
AFAIK, it is not possible with IKEv1. Paul and I discussed that over on
the Openswan list some time ago. Basically, you can't negotiate the key
exchange. IKEv2 is a different story. StrongSWAN supports IPv6 over
IPv4 in an IPSec tunnel. I'm not currently sure about Openswan or
Racoon (IPsec Tools).

3) In the case of IPv4 over IPv4, IPsec itself should handle it.
Whether the keying daemons currently support the syntax is a question
and it will most certainly have to be IKEv2.

> This is why tunnel brokers like Freenet6 & Teredo exist, you can't
> push IPv6 traffic out across an IPv4 only network without tunneling.

But, IPsec is a tunnel. At least is has a "tunnel mode" (and I advise
against transport mode in any case).

Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
//|=mhw=|// | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-10-2011, 10:47 AM
Steve Clark
 
Default ipsec with ipv4 and ipv6 not working

On 02/09/2011 07:14 PM, Michael H. Warfield wrote:

On Tue, 2011-02-08 at 14:54 -0800, Drew wrote:



I have posted to the ipsec-devel list and haven't gotten any responses. Also I
have spent 2 days googling with
no results about the above setup. Is it even possible to tunnel ipv4 packet thru
an ipv6 ipsec tunnel?






AFAIK, No.



It's probably a major "it depends".



IPv4 & IPv6 are different protocols so if you want to move IPv6
traffic over a IPv4 IPSEC tunnel you need to encapsulate the IPv6
payload within IPv4 packets. The reverse is also true of IPv4 over
IPv6.



1) That's not true of IPSec tunnels (transport mode is a totally
different question). The ESP encapsulation itself contains the IP
headers can can support it.

2) IKE, the key exchange and setup daemons, is a different matter.
AFAIK, it is not possible with IKEv1. Paul and I discussed that over on
the Openswan list some time ago. Basically, you can't negotiate the key
exchange. IKEv2 is a different story. StrongSWAN supports IPv6 over
IPv4 in an IPSec tunnel. I'm not currently sure about Openswan or
Racoon (IPsec Tools).

3) In the case of IPv4 over IPv4, IPsec itself should handle it.
Whether the keying daemons currently support the syntax is a question
and it will most certainly have to be IKEv2.



This is why tunnel brokers like Freenet6 & Teredo exist, you can't
push IPv6 traffic out across an IPv4 only network without tunneling.



But, IPsec is a tunnel. At least is has a "tunnel mode" (and I advise
against transport mode in any case).

Regards,
Mike




Thanks for the response Mike.* By creating an ipv6<-.>ipv6 ipsec
tunnel and then running an ipip6 tunnel

inside of it I can get the ipv4 packets thru no problem. But alas I am
trying to use ospf and multicast doesn't

seem to work correctly. The multicast ipv4 packets reach the other
side, i can see them unencrypted Hello packets by tcpdumping

the 4in6 tunnel but ospfd doesn't see them.

--

Stephen*Clark

NetWolves

Sr.*Software*Engineer*III

Phone:*813-579-3200

Fax:*813-882-0209

Email:*steve.clark@netwolves.com

http://www.netwolves.com




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 01:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org