Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 via IPSec

    Scheduled Pinned Locked Moved IPv6
    13 Posts 7 Posters 3.0k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Offline
      JKnott @b_chris
      last edited by

      @b_chris said in IPv6 via IPSec:

      I'd like to enable IPv6 for my IPSec tunnel (IPv4 is already working fine).
      I added a virtual address pool for IPv6: fd00:1:1:2::/64

      I haven't set up IPSec on pfsense, but with OpenVPN one tunnel can carry both IPv4 and IPv6. Does that work with IPSec too?

      BTW, those ULA are like RFC1918 addresses on IPv4. They don't work across the Internet. As for your prefix changing, have to checked Do not allow PD/Address release on the WAN page? Also, does your WAN address change? That's what you should be using for the VPN end point, if you can.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @MMapplebeck
        last edited by

        @mmapplebeck said in IPv6 via IPSec:

        ULA can only be used for local communications, nothing will go external

        It cannot go over the public Internet. Beyond that, it can go anywhere over private networks, just like RFC1918 addresses on IPv4.

        IPv6 does not have NAT functionality like IPv4 does

        Fortunately. Actually, it may be possible, but it's still a bad idea.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • B Offline
          b_chris @Derelict
          last edited by

          @derelict
          Thanks for your suggestions.
          First: My DUID is configured to "Raw DUID" and I don't have RAM disk activated (also the pfSense-Box doesn't restart between those reconnects), therefore as far as I understand my config should lead to the same prefix. I already had contact with my provider, but their interpretation is: This is a "feature". I should go with a business contract to keep the prefix..

          Back to topic: May I ask, how the NPt settings need to be configured in detail? I assume the following:
          Interface: IPSec
          Internal IPv6 prefix: not checked
          Address: fd00:1:1:2::/64 (the ULA prefix for IPSec)
          Destination IPv6 prefix: not checked
          Address: That's probably my current WAN prefix.

          Unfortunately that doesn't work. When trying to ping from an IPSec client to e.g. pfSense via ping6 I get an timeout. Firewall rules (very basic) should allow the ping.

          Thanks

          B MikeV7896M S 3 Replies Last reply Reply Quote 0
          • B Offline
            b_chris @b_chris
            last edited by

            General clarification: You all are right, direct communication from an "ULA-client" to the public internet ist of cause not possible.
            My main use case would be to communicate via IPv6 with devices within my network that are IPv6-only.

            JKnottJ 1 Reply Last reply Reply Quote 0
            • MikeV7896M Offline
              MikeV7896 @b_chris
              last edited by

              @b_chris Just a note about using ULA addresses... RFC 4193 recommends that you use a more randomized prefix for a ULA network, because if you were to VPN to another network that uses IPv6 ULA and the prefix happened to be the same, you could have connectivity issues.

              The recommended way to generate your ULA prefix is to use the current timestamp + a MAC address, hash it with SHA1 and use the lower 40 bits of the result for your prefix. Here's a link to a page that will ask for a MAC address, then do the rest of the work for you.

              https://cd34.com/rfc4193/

              Here's another that just randomly generates one (this one also generates a subnet ID, though if you have multiple networks, they should all use the same global ID and different subnet IDs)...

              https://simpledns.plus/private-ipv6

              This way the likelihood of you using the same ULA address range as someone else is highly unlikely.

              The S in IOT stands for Security

              JKnottJ keyserK 2 Replies Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @b_chris
                last edited by

                @b_chris said in IPv6 via IPSec:

                My main use case would be to communicate via IPv6 with devices within my network that are IPv6-only.

                You can use ULA through the tunnel, just as you can use RFC1918 addresses on IPv4.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott @MikeV7896
                  last edited by

                  @mikev7896

                  I use "ps aux|shasum" and pull off then required number of digits. I also go to www.grc.com and use the Perfect Passwords to generate a 63 random character string.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • keyserK Offline
                    keyser Rebel Alliance @MikeV7896
                    last edited by keyser

                    @mikev7896 My understanding is that ULA is not 100% like RFC1918 - there is actually another range of IPv6 addresses for that.

                    If pfSense follows the RFC for ULA to the letter, will it then route the VPN client with a ULA adress to a LAN client that only has a GUA and Link Local?
                    I thought the point of ULA was that you would need to -also - give all your internal clients a ULA address to be able to speak to a ULA only VPN client.

                    I might be wrong, but thats how I though ULA is RFC’ed

                    Love the no fuss of using the official appliances :-)

                    JKnottJ 1 Reply Last reply Reply Quote 0
                    • JKnottJ Offline
                      JKnott @keyser
                      last edited by

                      @keyser said in IPv6 via IPSec:

                      My understanding is that ULA is not 100% like RFC1918 - there is actually another range of IPv6 addresses for that.

                      Not that I'm aware of. ULA is the same as RFC1918 in that it's routeable, but not allowed on the Internet. However, you can't have a VPN over the Internet that uses ULA on either end. VPNs can certainly carry ULA though, just as they can RFC1918.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        sharpjs @b_chris
                        last edited by

                        @b_chris Sorry to reply to an old thread, but this thread is what search engines find when dealing with this issue. What just worked for me was this NPt entry:

                        • Interface: WAN (not IPsec)
                        • Internal IPv6 prefix:
                          • Internal invert: not checked
                          • Internal address: fdxx:xxxx:xxxx:xxxx::/64 (IPsec virtual address pool ULA prefix)
                        • Destination IPv6 prefix:
                          • Destination invert: not checked
                          • Destination type: OPT1 delegated prefix (any unused interface here)
                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.