OSPFv6 over IPsec VTIs
-
Sorry, not sure if this belongs here or in the IPv6 section. I have four sites/routers that I connect with IPsec tunnels that I run OSPF on. I want to do the same thing but with IPv6 and OSPFv6. I setup my first tunnel and the tunnel comes up fine. The issue is that when I turn on the OSPFv6, the routes propagate then IPv6 between sites breaks. ICMP works fine but UDP/TCP doesn't. I think this has to do with my addressing on the tunnel. My plan was to just use link-local ipv6 addresses on the tunnel since I won't be addressing any of the routers by their tunnel IPs but the interface didn't allow that. I then tried to add IPs in the link-local range and it accepted it but I don't see my IPs used anywhere; It uses it's own link-local IPs instead. Do I need public IPs on the tunnels? Something else?
-
Try using IPv6 addresses in a reserved range (Somewhere inside the massive
fc00::/7
private address space)Though technically OSPF6 can work using only link local addresses, they're already on the interface and would not need manual assignment.
-
That was the answer. I needed to switch from fe80:: to fc00::. I can't seem to create the VTI without assigning some IPv6. Is that a bug? It would be ideal to only use link-local addresses here.
-
@MeCJay12 said in OSPFv6 over IPsec VTIs:
That was the answer. I needed to switch from fe80:: to fc00::. I can't seem to create the VTI without assigning some IPv6. Is that a bug? It would be ideal to only use link-local addresses here.
Manually assigning an IP address in the link local range seems wrong here, so I wouldn't call that a bug. The interfaces will have their own IPv6 link local addresses naturally, and those should work. So just define an IPv4 VTI P2 and make sure your rules on the IPsec tab pass both IPv4 and IPv6.
I just tried on a VTI tunnel with only IPv4 configured and I can pass traffic across between IPv6 link locals:
: ifconfig ipsec5000 ipsec5000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400 tunnel inet 198.51.100.7 --> 198.51.100.6 inet6 fe80::20c:29ff:fe5c:7250%ipsec5000 prefixlen 64 scopeid 0x9 inet 10.6.106.2 --> 10.6.106.1 netmask 0xffffff00 groups: ipsec reqid: 5000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
: ifconfig ipsec4000 ipsec4000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400 tunnel inet 198.51.100.6 --> 198.51.100.7 inet6 fe80::20c:29ff:fe78:6e4e%ipsec4000 prefixlen 64 scopeid 0x8 inet 10.6.106.1 --> 10.6.106.2 netmask 0xfffffffc groups: ipsec reqid: 4000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
: ping -c 3 -S 10.6.106.2 10.6.106.1 PING 10.6.106.1 (10.6.106.1) from 10.6.106.2: 56 data bytes 64 bytes from 10.6.106.1: icmp_seq=0 ttl=64 time=0.871 ms 64 bytes from 10.6.106.1: icmp_seq=1 ttl=64 time=0.972 ms 64 bytes from 10.6.106.1: icmp_seq=2 ttl=64 time=1.212 ms --- 10.6.106.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.871/1.018/1.212/0.143 ms
: ping6 -c 3 -S fe80::20c:29ff:fe5c:7250%ipsec5000 fe80::20c:29ff:fe78:6e4e PING6(56=40+8+8 bytes) fe80::20c:29ff:fe5c:7250%ipsec5000 --> fe80::20c:29ff:fe78:6e4e%ipsec5000 16 bytes from fe80::20c:29ff:fe78:6e4e%ipsec5000, icmp_seq=0 hlim=64 time=0.974 ms 16 bytes from fe80::20c:29ff:fe78:6e4e%ipsec5000, icmp_seq=1 hlim=64 time=1.193 ms 16 bytes from fe80::20c:29ff:fe78:6e4e%ipsec5000, icmp_seq=2 hlim=64 time=0.972 ms --- fe80::20c:29ff:fe78:6e4e ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.972/1.046/1.193/0.104 ms
I haven't tried OSPF6 on one yet (that particular lab pair doesn't have FRR on both ends), but I don't see any reason why it shouldn't work that way.
-
That's interested. I didn't even try that because the docs say not to run IPv4 and IPv6 on the same IPsec with pfSense.
Another interesting thing is that now that my traffic is passing and the two sides can talk, my connect got worse going across. SSH takes longer to connect and when I type in a terminal it takes longer to show up. Even worse, the tunnel won't pass IPv6 for port 443.
-
That was only true for IKEv1 tunnels. IKEv2 tunnels can carry both. And VTI is not really a "tunnel" but routed IPsec so it's different yet.