Tunnel IPv6 over IPv4-IPSec tunnel



  • I have a remote location that can not get IPv6, I have IPv6 in the central location. I have IPv4 IPsec between both locations.
    I would like to use IPsec to get IPv6 connectivity at the remote location. Pretty much what is done here: http://markus.wernig.net/en/it/ip6tunnel-ipsec-only.phtml

    When I do this using pfSense 2.2.1 the tunnel does not throw any obvious errors, I get the tunnel showing up in the SPD status window, but I can not pass any traffic. I pass all IPv6 traffic on the IPsec interface.

    I this something that is (a) not possible, (b) coming "real soon(TM)", or © a user error?
    Does anyone have something similar running?


  • Banned

    There's this IPv6 over IPv4 Tunneling checkbox under System -> Advanced -> Networking. (Note: Never tested this with IPsec or anything else. Good luck. :P)

    Also see this thread: Layer 2 Tunneling over IPSec - GIF Interface



  • @doktornotor:

    There's this IPv6 over IPv4 Tunneling checkbox under System -> Advanced -> Networking. (Note: Never tested this with IPsec or anything else. Good luck. :P)

    Thanks. That doesn't work though, that seems to require an address to NAT through. I wan't to get rid of NAT if possible.
    All the articles I have found seem to indicate that it is possible to run IPv6 through an IPSec tunnel between IPv4 hosts without needing any of the usual transition methods.
    I'll wait and see if anyone else has encountered the issue.


  • Banned

    So check the other one linked below… That is without NAT.



  • @doktornotor:

    That is without NAT.

    Yes, but it is also with an extra interface, which was what I was hoping to avoid.


  • Banned

    Sigh… good luck. Bye,.


  • Rebel Alliance Developer Netgate

    For IPsec, at least currently, you cannot mix the inner and outer protocol. You can't carry both IPv4 and IPv6 over a single IPsec tunnel, and you can only do IPv4 inner+outer or IPv6 inner+outer.

    OpenVPN can carry both inside to accomplish what you want on a single interface, regardless of the outer protocol (e.g. IPv4 outer w/IPv6 inner, or IPv4 outer with IPv6+IPv4 inner, IPv6 outer with IPv4 inner, and so on…)

    I'm not sure if strongSwan makes any of that more possible for IPsec, but it's most likely a dead end for the foreseeable future.

    If you need to get IPv6 somewhere across an IPv4 link, your best chances are GIF or OpenVPN.



  • I have not tested this on 2.2.2 but for sure it will be usable on 2.3 of pfSense since even FreeBSD has had fixes especially for this in kernel side.

    2.3 will be based on FreeBSD 10.2 which has those fixes in kernel.
    Probably as soon as there are snapshots you can try this scenario.



  • @ermal:

    I have not tested this on 2.2.2 but for sure it will be usable on 2.3 of pfSense since even FreeBSD has had fixes especially for this in kernel side.

    Excellent!
    I'll give it a try with 2.2.2. Otherwise I'll wait for 2.3-snapshots.


Log in to reply