IPv6 via IPSec

JKnott

I'd like to enable IPv6 for my IPSec tunnel (IPv4 is already working fine).
I added a virtual address pool for IPv6: fd00:1:1:2::/64

I haven't set up IPSec on pfsense, but with OpenVPN one tunnel can carry both IPv4 and IPv6. Does that work with IPSec too?

BTW, those ULA are like RFC1918 addresses on IPv4. They don't work across the Internet. As for your prefix changing, have to checked Do not allow PD/Address release on the WAN page? Also, does your WAN address change? That's what you should be using for the VPN end point, if you can.

JKnott

@mmapplebeck said in IPv6 via IPSec:

ULA can only be used for local communications, nothing will go external

It cannot go over the public Internet. Beyond that, it can go anywhere over private networks, just like RFC1918 addresses on IPv4.

IPv6 does not have NAT functionality like IPv4 does

Fortunately. Actually, it may be possible, but it's still a bad idea.

b_chris

@derelict
Thanks for your suggestions.
First: My DUID is configured to "Raw DUID" and I don't have RAM disk activated (also the pfSense-Box doesn't restart between those reconnects), therefore as far as I understand my config should lead to the same prefix. I already had contact with my provider, but their interpretation is: This is a "feature". I should go with a business contract to keep the prefix..

Back to topic: May I ask, how the NPt settings need to be configured in detail? I assume the following:
Interface: IPSec
Internal IPv6 prefix: not checked
Address: fd00:1:1:2::/64 (the ULA prefix for IPSec)
Destination IPv6 prefix: not checked
Address: That's probably my current WAN prefix.

Unfortunately that doesn't work. When trying to ping from an IPSec client to e.g. pfSense via ping6 I get an timeout. Firewall rules (very basic) should allow the ping.

Thanks

b_chris

General clarification: You all are right, direct communication from an "ULA-client" to the public internet ist of cause not possible.
My main use case would be to communicate via IPv6 with devices within my network that are IPv6-only.

MikeV7896

@b_chris Just a note about using ULA addresses... RFC 4193 recommends that you use a more randomized prefix for a ULA network, because if you were to VPN to another network that uses IPv6 ULA and the prefix happened to be the same, you could have connectivity issues.

The recommended way to generate your ULA prefix is to use the current timestamp + a MAC address, hash it with SHA1 and use the lower 40 bits of the result for your prefix. Here's a link to a page that will ask for a MAC address, then do the rest of the work for you.

https://cd34.com/rfc4193/

Here's another that just randomly generates one (this one also generates a subnet ID, though if you have multiple networks, they should all use the same global ID and different subnet IDs)...

https://simpledns.plus/private-ipv6

This way the likelihood of you using the same ULA address range as someone else is highly unlikely.

JKnott

@b_chris said in IPv6 via IPSec:

My main use case would be to communicate via IPv6 with devices within my network that are IPv6-only.

You can use ULA through the tunnel, just as you can use RFC1918 addresses on IPv4.

JKnott

@mikev7896

I use "ps aux|shasum" and pull off then required number of digits. I also go to www.grc.com and use the Perfect Passwords to generate a 63 random character string.

keyser

@mikev7896 My understanding is that ULA is not 100% like RFC1918 - there is actually another range of IPv6 addresses for that.

If pfSense follows the RFC for ULA to the letter, will it then route the VPN client with a ULA adress to a LAN client that only has a GUA and Link Local?
I thought the point of ULA was that you would need to -also - give all your internal clients a ULA address to be able to speak to a ULA only VPN client.

I might be wrong, but thats how I though ULA is RFC’ed

JKnott

@keyser said in IPv6 via IPSec:

My understanding is that ULA is not 100% like RFC1918 - there is actually another range of IPv6 addresses for that.

Not that I'm aware of. ULA is the same as RFC1918 in that it's routeable, but not allowed on the Internet. However, you can't have a VPN over the Internet that uses ULA on either end. VPNs can certainly carry ULA though, just as they can RFC1918.

sharpjs

@b_chris Sorry to reply to an old thread, but this thread is what search engines find when dealing with this issue. What just worked for me was this NPt entry:

Interface: WAN (not IPsec)
Internal IPv6 prefix:
- Internal invert: not checked
- Internal address: fdxx:xxxx:xxxx:xxxx::/64 (IPsec virtual address pool ULA prefix)
Destination IPv6 prefix:
- Destination invert: not checked
- Destination type: OPT1 delegated prefix (any unused interface here)