I was eventually able to solve this issue. I asked for help on several mailing lists. So, for reference, here are links to the relevant threads:
https://lists.freebsd.org/pipermail/freebsd-questions/2016-May/271810.html https://lists.freebsd.org/pipermail/freebsd-net/2016-May/045349.html https://www.tinc-vpn.org/pipermail/tinc/2016-May/004573.html Niklaas Baudet von Gersdorff [2016-05-24 08:17 +0200] : > I want to serve IPv4 subnets 10.1.0.0/16 (machine A) and 10.2.0.0/16 > (machine B), and IPv6 subnets fd16:dcc0:f4cc:0:0:1::/96 (machine A) and > fd16:dcc0:f4cc:0:0:2::/96 (machine B) respectively. The jails are > connected on lo1. Here lies the first problem. It seems that it's not legitimate to assign /96 subnets when using unique local addresses (ULAs). I was right getting some /48 subnet for my local IPv6 network; some easy way to get one generated randomly is http://unique-local-ipv6.com/ . But instead of assigning /96 subnets to each host, you must assign /64 subnets. I guess (but I am not sure because I have not found any reference that mentions this explicitly) you *must not* use any other subnet when dealing with ULAs. So I decided for the following two subnets for machine A and B respectively: fd16:dcc0:f4cc:1::/64 and fd16:dcc0:f4cc:2::/64. > The following is the tinc-up script on each machine that assignes IP > addresses and creates routes. I commented out some variations that > I tried but haven't had success with either: > > A $ cat /usr/local/etc/tinc/klaas/tinc-up > ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:0:0:1:0:1 prefixlen 80 > route -6 add -host fd16:dcc0:f4cc:0:0:2:0:1 fd16:dcc0:f4cc:0:0:1:0:1 > route -6 add -net fd16:dcc0:f4cc:0:0:2::/96 fd16:dcc0:f4cc:0:0:1:0:1 > #route -6 add -ifp $INTERFACE -host fd16:dcc0:f4cc::2:0:1 > fd16:dcc0:f4cc::1:0:1 > #route -6 add -ifp $INTERFACE -net fd16:dcc0:f4cc::2:0:0/96 > fd16:dcc0:f4cc::1:0:1 > > ifconfig $INTERFACE 10.1.0.1 netmask 255.0.0.0 > route -4 add -host 10.2.0.1 10.1.0.1 > route -4 add -net 10.2.0.0/16 10.1.0.1 In addition, it seems not sufficient to solely assign IP address, but you must also assign a route for the respective foreign (!) subnet(s) to the tap interface. Without these I couldn't get the connection working. Thus, you get the following tinc-up scripts for both machines: A $ cat /usr/local/etc/tinc/tinc-up ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:1::1 prefixlen 48 alias ifconfig $INTERFACE 10.1.0.1 netmask 255.0.0.0 alias route add -inet6 -net fd16:dcc0:f4cc:2::/64 -interface $INTERFACE B $ cat /usr/local/etc/tinc/tinc-up ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:2::1 prefixlen 48 alias ifconfig $INTERFACE 10.2.0.1 netmask 255.0.0.0 alias route add -inet6 -net fd16:dcc0:f4cc:1::/64 -interface $INTERFACE The following you should include into tinc-down to clean up the route when the daemon is shut down (alter this for machine B respectively): route add -inet6 -net fd16:dcc0:f4cc:1::/64 -interface $INTERFACE To make this complete, these are the relevant host configurations for tinc: A $ cat /usr/local/etc/tinc/hosts/A Address = A Subnet = fd16:dcc0:f4cc:1::/64 Subnet = 10.1.0.0/16 -----BEGIN RSA PUBLIC KEY----- <secret> -----END RSA PUBLIC KEY----- A $ cat /usr/local/etc/tinc/hosts/B Address = B Subnet = fd16:dcc0:f4cc:2::/64 Subnet = 10.2.0.0/16 -----BEGIN RSA PUBLIC KEY----- <secret> -----END RSA PUBLIC KEY----- For reference -- in hope that duckduckgo does a good job indexing this and prevents others from struggling the same way as I did -- here are the errors I would get from tinc if either the subnet was not set up correctly (see above) or if I had not configured the routes: Cannot route packet: neighbor solicitation request for unknown address fd16:dcc0:f4cc:0:0:1:0:1 In hope that nobody else has to struggle with this as long as I did. Niklaas
signature.asc
Description: PGP signature
