Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OSPFv6 over IPsec VTIs

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 667 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MeCJay12
      last edited by

      Sorry, not sure if this belongs here or in the IPv6 section. I have four sites/routers that I connect with IPsec tunnels that I run OSPF on. I want to do the same thing but with IPv6 and OSPFv6. I setup my first tunnel and the tunnel comes up fine. The issue is that when I turn on the OSPFv6, the routes propagate then IPv6 between sites breaks. ICMP works fine but UDP/TCP doesn't. I think this has to do with my addressing on the tunnel. My plan was to just use link-local ipv6 addresses on the tunnel since I won't be addressing any of the routers by their tunnel IPs but the interface didn't allow that. I then tried to add IPs in the link-local range and it accepted it but I don't see my IPs used anywhere; It uses it's own link-local IPs instead. Do I need public IPs on the tunnels? Something else?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by jimp

        Try using IPv6 addresses in a reserved range (Somewhere inside the massive fc00::/7 private address space)

        Though technically OSPF6 can work using only link local addresses, they're already on the interface and would not need manual assignment.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          MeCJay12
          last edited by

          That was the answer. I needed to switch from fe80:: to fc00::. I can't seem to create the VTI without assigning some IPv6. Is that a bug? It would be ideal to only use link-local addresses here.

          jimpJ 1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate @MeCJay12
            last edited by

            @MeCJay12 said in OSPFv6 over IPsec VTIs:

            That was the answer. I needed to switch from fe80:: to fc00::. I can't seem to create the VTI without assigning some IPv6. Is that a bug? It would be ideal to only use link-local addresses here.

            Manually assigning an IP address in the link local range seems wrong here, so I wouldn't call that a bug. The interfaces will have their own IPv6 link local addresses naturally, and those should work. So just define an IPv4 VTI P2 and make sure your rules on the IPsec tab pass both IPv4 and IPv6.

            I just tried on a VTI tunnel with only IPv4 configured and I can pass traffic across between IPv6 link locals:

            : ifconfig ipsec5000
            ipsec5000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
            	tunnel inet 198.51.100.7 --> 198.51.100.6
            	inet6 fe80::20c:29ff:fe5c:7250%ipsec5000 prefixlen 64 scopeid 0x9 
            	inet 10.6.106.2 --> 10.6.106.1 netmask 0xffffff00 
            	groups: ipsec 
            	reqid: 5000
            	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
            
            : ifconfig ipsec4000
            ipsec4000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
            	tunnel inet 198.51.100.6 --> 198.51.100.7
            	inet6 fe80::20c:29ff:fe78:6e4e%ipsec4000 prefixlen 64 scopeid 0x8 
            	inet 10.6.106.1 --> 10.6.106.2 netmask 0xfffffffc 
            	groups: ipsec 
            	reqid: 4000
            	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
            
            : ping -c 3 -S 10.6.106.2 10.6.106.1
            PING 10.6.106.1 (10.6.106.1) from 10.6.106.2: 56 data bytes
            64 bytes from 10.6.106.1: icmp_seq=0 ttl=64 time=0.871 ms
            64 bytes from 10.6.106.1: icmp_seq=1 ttl=64 time=0.972 ms
            64 bytes from 10.6.106.1: icmp_seq=2 ttl=64 time=1.212 ms
            
            --- 10.6.106.1 ping statistics ---
            3 packets transmitted, 3 packets received, 0.0% packet loss
            round-trip min/avg/max/stddev = 0.871/1.018/1.212/0.143 ms
            
            : ping6 -c 3 -S fe80::20c:29ff:fe5c:7250%ipsec5000 fe80::20c:29ff:fe78:6e4e
            PING6(56=40+8+8 bytes) fe80::20c:29ff:fe5c:7250%ipsec5000 --> fe80::20c:29ff:fe78:6e4e%ipsec5000
            16 bytes from fe80::20c:29ff:fe78:6e4e%ipsec5000, icmp_seq=0 hlim=64 time=0.974 ms
            16 bytes from fe80::20c:29ff:fe78:6e4e%ipsec5000, icmp_seq=1 hlim=64 time=1.193 ms
            16 bytes from fe80::20c:29ff:fe78:6e4e%ipsec5000, icmp_seq=2 hlim=64 time=0.972 ms
            
            --- fe80::20c:29ff:fe78:6e4e ping6 statistics ---
            3 packets transmitted, 3 packets received, 0.0% packet loss
            round-trip min/avg/max/std-dev = 0.972/1.046/1.193/0.104 ms
            

            I haven't tried OSPF6 on one yet (that particular lab pair doesn't have FRR on both ends), but I don't see any reason why it shouldn't work that way.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              MeCJay12
              last edited by MeCJay12

              That's interested. I didn't even try that because the docs say not to run IPv4 and IPv6 on the same IPsec with pfSense.

              Another interesting thing is that now that my traffic is passing and the two sides can talk, my connect got worse going across. SSH takes longer to connect and when I type in a terminal it takes longer to show up. Even worse, the tunnel won't pass IPv6 for port 443.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                That was only true for IKEv1 tunnels. IKEv2 tunnels can carry both. And VTI is not really a "tunnel" but routed IPsec so it's different yet.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.