OSPFv6 over IPsec VTIs



  • Sorry, not sure if this belongs here or in the IPv6 section. I have four sites/routers that I connect with IPsec tunnels that I run OSPF on. I want to do the same thing but with IPv6 and OSPFv6. I setup my first tunnel and the tunnel comes up fine. The issue is that when I turn on the OSPFv6, the routes propagate then IPv6 between sites breaks. ICMP works fine but UDP/TCP doesn't. I think this has to do with my addressing on the tunnel. My plan was to just use link-local ipv6 addresses on the tunnel since I won't be addressing any of the routers by their tunnel IPs but the interface didn't allow that. I then tried to add IPs in the link-local range and it accepted it but I don't see my IPs used anywhere; It uses it's own link-local IPs instead. Do I need public IPs on the tunnels? Something else?


  • Rebel Alliance Developer Netgate

    Try using IPv6 addresses in a reserved range (Somewhere inside the massive fc00::/7 private address space)

    Though technically OSPF6 can work using only link local addresses, they're already on the interface and would not need manual assignment.



  • That was the answer. I needed to switch from fe80:: to fc00::. I can't seem to create the VTI without assigning some IPv6. Is that a bug? It would be ideal to only use link-local addresses here.


  • Rebel Alliance Developer Netgate

    @MeCJay12 said in OSPFv6 over IPsec VTIs:

    That was the answer. I needed to switch from fe80:: to fc00::. I can't seem to create the VTI without assigning some IPv6. Is that a bug? It would be ideal to only use link-local addresses here.

    Manually assigning an IP address in the link local range seems wrong here, so I wouldn't call that a bug. The interfaces will have their own IPv6 link local addresses naturally, and those should work. So just define an IPv4 VTI P2 and make sure your rules on the IPsec tab pass both IPv4 and IPv6.

    I just tried on a VTI tunnel with only IPv4 configured and I can pass traffic across between IPv6 link locals:

    : ifconfig ipsec5000
    ipsec5000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
    	tunnel inet 198.51.100.7 --> 198.51.100.6
    	inet6 fe80::20c:29ff:fe5c:7250%ipsec5000 prefixlen 64 scopeid 0x9 
    	inet 10.6.106.2 --> 10.6.106.1 netmask 0xffffff00 
    	groups: ipsec 
    	reqid: 5000
    	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    
    : ifconfig ipsec4000
    ipsec4000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
    	tunnel inet 198.51.100.6 --> 198.51.100.7
    	inet6 fe80::20c:29ff:fe78:6e4e%ipsec4000 prefixlen 64 scopeid 0x8 
    	inet 10.6.106.1 --> 10.6.106.2 netmask 0xfffffffc 
    	groups: ipsec 
    	reqid: 4000
    	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    
    : ping -c 3 -S 10.6.106.2 10.6.106.1
    PING 10.6.106.1 (10.6.106.1) from 10.6.106.2: 56 data bytes
    64 bytes from 10.6.106.1: icmp_seq=0 ttl=64 time=0.871 ms
    64 bytes from 10.6.106.1: icmp_seq=1 ttl=64 time=0.972 ms
    64 bytes from 10.6.106.1: icmp_seq=2 ttl=64 time=1.212 ms
    
    --- 10.6.106.1 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.871/1.018/1.212/0.143 ms
    
    : ping6 -c 3 -S fe80::20c:29ff:fe5c:7250%ipsec5000 fe80::20c:29ff:fe78:6e4e
    PING6(56=40+8+8 bytes) fe80::20c:29ff:fe5c:7250%ipsec5000 --> fe80::20c:29ff:fe78:6e4e%ipsec5000
    16 bytes from fe80::20c:29ff:fe78:6e4e%ipsec5000, icmp_seq=0 hlim=64 time=0.974 ms
    16 bytes from fe80::20c:29ff:fe78:6e4e%ipsec5000, icmp_seq=1 hlim=64 time=1.193 ms
    16 bytes from fe80::20c:29ff:fe78:6e4e%ipsec5000, icmp_seq=2 hlim=64 time=0.972 ms
    
    --- fe80::20c:29ff:fe78:6e4e ping6 statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 0.972/1.046/1.193/0.104 ms
    

    I haven't tried OSPF6 on one yet (that particular lab pair doesn't have FRR on both ends), but I don't see any reason why it shouldn't work that way.



  • That's interested. I didn't even try that because the docs say not to run IPv4 and IPv6 on the same IPsec with pfSense.

    Another interesting thing is that now that my traffic is passing and the two sides can talk, my connect got worse going across. SSH takes longer to connect and when I type in a terminal it takes longer to show up. Even worse, the tunnel won't pass IPv6 for port 443.


  • Rebel Alliance Developer Netgate

    That was only true for IKEv1 tunnels. IKEv2 tunnels can carry both. And VTI is not really a "tunnel" but routed IPsec so it's different yet.


Log in to reply