Hello,
I am trying to set-up an dual-stack IKEv2/IPsec VPN. The server is
OpenBSD (obviously). The clients are macs (so far). IPv4 works, but
I can't get IPv6 working for the clients. The clients get a v6 IP
and a good route, but it seems routing doesn't work on OpenBSD's
side.
I am using an /48 IPv6 tunnel from HE.
Server IPv4:209.51.161.14
Server IPv6:2001:470:1f06:95f::1/64
Client IPv4:207.246.122.61
Client IPv6:2001:470:1f06:95f::2/64
Routed IPv6 Prefixes
Routed /48:2001:470:8c78::/48
IPv6 connectivity works from OpenBSD:
freedom# uname -a
OpenBSD freedom.mgk.ro 6.4 GENERIC.MP#364 amd64
freedom#
freedom# ifconfig gif0 # HE tunnel
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
index 4 priority 0 llprio 3
groups: gif egress
tunnel: inet 207.246.122.61 -> 209.51.161.14 ttl 64 nodf
inet6 fe80::42bc:4cfd:6395:7fe%gif0 -> prefixlen 64 scopeid 0x4
inet6 2001:470:1f06:95f::2 -> 2001:470:1f06:95f::1 prefixlen 128
freedom#
freedom# route show -inet6 | grep default
default tunnel521973.tunne UGS 0 3 - 8
gif0
default fe80::fc00:1ff:fed UGS 0 0 - 56 vio0
freedom# traceroute6 google.com
traceroute6 to google.com (2607:f8b0:4006:81a::200e), 64 hops max, 60 byte
packets
1 tunnel521973.tunnel.tserv4.nyc4.ipv6.he.net (2001:470:1f06:95f::1)
9.048 ms 7.025 ms 6.35 ms
2 ve422.core1.nyc4.he.net (2001:470:0:5d::1) 1.822 ms 1.727 ms 5.251 ms
3 core1-0-0-8.lga.net.google.com (2001:504:f::27) 1.836 ms 1.661 ms
1.659 ms
4 2001:4860:0:1125::1 (2001:4860:0:1125::1) 4.234 ms 3.801 ms
2001:4860:0:1127::1 (2001:4860:0:1127::1) 3.834 ms
5 2001:4860:0:1::17b (2001:4860:0:1::17b) 3.613 ms 2001:4860:0:1::995
(2001:4860:0:1::995) 2.823 ms 2001:4860:0:1::17b (2001:4860:0:1::17b) 2.854 ms
6 lga25s62-in-x0e.1e100.net (2607:f8b0:4006:81a::200e) 2.829 ms 2.764
ms 2.598 ms
freedom#
I created enc0 for IPsec, and assigned the /48 to it:
freedom# cat /etc/hostname.enc0
inet 172.24.24.1 255.255.255.0 172.24.24.255
inet6 2001:470:8c78:a0:: 64
up
I enabled IP forwarding:
freedom# cat /etc/sysctl.conf
hw.smt=1
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
freedom#
My iked.conf is
freedom# cat /etc/iked.conf
ikev2 "vpn" passive ipcomp esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local egress peer any \
psk "XXXXXXXX" \
config address 172.24.24.0/24 \
config address 2001:470:8c78:a0::/64 \
config name-server 172.24.24.1 \
config name-server 2001:470:8c78:a0:: \
tag "vpn" tap enc0
freedom#
The mac clients "see" the IPv6 address, and create a route:
emerald:aram$ ifconfig ipsec0
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
inet 172.24.24.193 --> 172.24.24.193 netmask 0xff000000
inet6 fe80::3ac9:86ff:fe32:4e3f%ipsec0 prefixlen 64 scopeid 0xf
inet6 2001:470:8c78:a0::82f8:21d4 prefixlen 64
nd6 options=201<PERFORMNUD,DAD>
emerald:aram$
emerald:aram$ netstat -nr | grep default
default link#15 UCS 110 0 ipsec0
default 192.168.0.1 UGScI 19 0 en0
default 192.168.0.1 UGScI 3 0 en1
default 2001:470:8c78:a0:: UGc
ipsec0
default fe80::%utun0
UGcI utun0
default fe80::%utun1
UGcI utun1
default fe80::%utun2
UGcI utun2
I can do IPv4 from the clients, but not IPv6.
emerald:aram$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=106.972 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=107.661 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=58 time=108.039 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 106.972/107.557/108.039/0.442 ms
emerald:aram$ ping6 google.com
PING6(56=40+8+8 bytes) 2001:470:8c78:a0::82f8:21d4 -->
2607:f8b0:4006:800::200e
^C
--- google.com ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
emerald:aram$ ping6 2001:470:8c78:a0::
PING6(56=40+8+8 bytes) 2001:470:8c78:a0::82f8:21d4 --> 2001:470:8c78:a0::
^C
--- 2001:470:8c78:a0:: ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
emerald:aram$
emerald:aram$
As you can see I can't even ping the OpenBSD endpoint over IPv6.
>From the OpenBSD side, I can't ping the client either on IPv6 (IPv4
works):
freedom# ping6 2001:470:8c78:a0::82f8:21d4
PING 2001:470:8c78:a0::82f8:21d4 (2001:470:8c78:a0::82f8:21d4): 56 data
bytes
ping6: sendmsg: Message too long
ping: wrote 2001:470:8c78:a0::82f8:21d4 64 chars, ret=-1
ping6: sendmsg: Message too long
ping: wrote 2001:470:8c78:a0::82f8:21d4 64 chars, ret=-1
^C
--- 2001:470:8c78:a0::82f8:21d4 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
freedom# ping 172.24.24.193
PING 172.24.24.193 (172.24.24.193): 56 data bytes
64 bytes from 172.24.24.193: icmp_seq=0 ttl=64 time=107.996 ms
64 bytes from 172.24.24.193: icmp_seq=1 ttl=64 time=106.241 ms
^C
--- 172.24.24.193 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 106.241/107.118/107.996/0.878 ms
freedom#
Also on the OpenBSD side, I can see the ICMP packets coming from
the client and arriving on enc0:
freedom# tcpdump -n -e -ttt -i enc0
tcpdump: listening on enc0, link-type ENC
Feb 11 13:59:48.962485 (authentic,confidential): SPI 0x1e6e0c04:
2001:470:8c78:a0::82f8:21d4 > 2001:470:8c78:a0::: icmp6: echo request
[flowlabel 0xdea34] (encap)
Feb 11 13:59:49.963477 (authentic,confidential): SPI 0x1e6e0c04:
2001:470:8c78:a0::82f8:21d4 > 2001:470:8c78:a0::: icmp6: echo request
[flowlabel 0xdea34] (encap)
^C
So the packets come, but something happens to them.
My pf.conf is:
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# NAT
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep state
pass on enc0 from any to self keep state (if-bound)
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
And this is what pfctl -sr returns:
freedom# pfctl -sr
block return all
pass all flags S/SA
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from ! (egress:network) to any nat-to (egress:0)
round-robin
pass quick inet6 proto udp from any to ::1 port = 500
pass quick on lo0 inet6 proto udp from any to fe80::1 port = 500
pass quick on vio0 inet6 proto udp from any to fe80::5400:1ff:fed3:aabd
port = 500
pass quick inet6 proto udp from any to 2001:470:8c78:a0:: port = 500
pass quick on gif0 inet6 proto udp from any to fe80::42bc:4cfd:6395:7fe
port = 500
pass quick inet6 proto udp from any to 2001:470:1f06:95f::2 port = 500
pass quick inet6 proto udp from any to ::1 port = 4500
pass quick on lo0 inet6 proto udp from any to fe80::1 port = 4500
pass quick on vio0 inet6 proto udp from any to fe80::5400:1ff:fed3:aabd
port = 4500
pass quick inet6 proto udp from any to 2001:470:8c78:a0:: port = 4500
pass quick on gif0 inet6 proto udp from any to fe80::42bc:4cfd:6395:7fe
port = 4500
pass quick inet6 proto udp from any to 2001:470:1f06:95f::2 port = 4500
pass quick inet proto udp from any to 127.0.0.1 port = 500
pass quick inet proto udp from any to 207.246.122.61 port = 500
pass quick inet proto udp from any to 172.24.24.1 port = 500
pass quick inet proto udp from any to 127.0.0.1 port = 4500
pass quick inet proto udp from any to 207.246.122.61 port = 4500
pass quick inet proto udp from any to 172.24.24.1 port = 4500
pass on enc0 inet from any to 127.0.0.1 flags S/SA keep state (if-bound)
pass on enc0 inet from any to 207.246.122.61 flags S/SA keep state
(if-bound)
pass on enc0 inet from any to 172.24.24.1 flags S/SA keep state (if-bound)
pass on enc0 inet6 from any to ::1 flags S/SA keep state (if-bound)
pass on enc0 inet6 from any to 2001:470:8c78:a0:: flags S/SA keep state
(if-bound)
pass on enc0 inet6 from any to 2001:470:1f06:95f::2 flags S/SA keep state
(if-bound)
block return in on ! lo0 proto tcp from any to any port 6000:6010
block return out log proto tcp all user = 55
block return out log proto udp all user = 55
Any tips on what to do next? Do I need some special pf.conf
configuration?
Thanks!
