IPv6 ipsec tunnel server on linux server
Hello, I'm trying to set up an ipsec server on a linux machine. The connection between clients and server should be IPv6 only but also needs to transport IPv4 packets. However, the linux kernel doesn't seem to support a feature which is required to transport IPv4 packets within an IPv6 ipsec connection, as shown here: https://wiki.strongswan.org/issues/939 Does maybe one of you know how to transport IPv4 packets in an IPv6 ipsec connection, or do we need to wait for the linux kernel to support this feature? Because this stops me from switching to IPv6 ipsec connections and I would like to reduce the usage of IPv4 as much as possible ... Sorry if this might be off-topic from the general IPv6 WG topics, but I thank you in advance for your time and answers! Best regards, Michael Hock
Hi, On Mon, Nov 05, 2018 at 11:39:54AM +0100, Michael Hock wrote:
I'm trying to set up an ipsec server on a linux machine. The connection between clients and server should be IPv6 only but also needs to transport IPv4 packets. However, the linux kernel doesn't seem to support a feature which is required to transport IPv4 packets within an IPv6 ipsec connection, as shown here: https://wiki.strongswan.org/issues/939
Does maybe one of you know how to transport IPv4 packets in an IPv6 ipsec connection, or do we need to wait for the linux kernel to support this feature? Because this stops me from switching to IPv6 ipsec connections and I would like to reduce the usage of IPv4 as much as possible ...
Without wanting to understand whether Linux can actually *do* this, what you generally do is "put an intermediate tunnel header here". So, you set up an IPv4 tunnel, with inside IPv4 addresses left and right. Then you set up an ipv6ip (proto-41) or gre tunnel, that uses said IPv4 addresses as "tunnel source" and "tunnel destination" (tunnel endpoints). *Then* you configure and route your IPv6 into the second tunnel. If all works nicely together, the IPv6 packet will then first be encapsulated into IPv4 directly or in GRE-over-IPv4, and the resulting IPv4 packet will then be IPSEC encapsulated and sent out. Now, I have no idea whether Linux can actually do that, or it will refuse the "double internal encapsulation" bit. Or if you can tell it how to nicely IPSEC-encapsulate only the relevant tunnel packets. *I* just use OpenVPN, which learned to transport IPv6 over IPv4 roughly 9 years ago... :-) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi, On Mon, Nov 05, 2018 at 08:18:31PM +0100, Gert Doering wrote:
On Mon, Nov 05, 2018 at 11:39:54AM +0100, Michael Hock wrote:
I'm trying to set up an ipsec server on a linux machine. The connection between clients and server should be IPv6 only but also needs to transport IPv4 packets. However, the linux kernel doesn't seem to support a feature which is required to transport IPv4 packets within an IPv6 ipsec connection, as shown here: https://wiki.strongswan.org/issues/939
Does maybe one of you know how to transport IPv4 packets in an IPv6 ipsec connection, or do we need to wait for the linux kernel to support this feature? Because this stops me from switching to IPv6 ipsec connections and I would like to reduce the usage of IPv4 as much as possible ...
Without wanting to understand whether Linux can actually *do* this, what you generally do is "put an intermediate tunnel header here".
It has been pointed out to me that I read your post upside-down - not "IPv6 over IPv4 IPSEC" was the goal, but "IPv4 (+IPv6) over IPv6 IPSEC". But the net recommendation is the same - build an outer IPSEC connection over IPv6, set up a tunnel interface to use that, route IPv4 through this second tunnel. (And, of course, OpenVPN could do IPv4-over-IPv6 over 10+ years ago ;-)) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi all, IPSec tunnel is transparent to IP payload in general, so it is perfectly ok to run IPv4 over IPv6 tunnel. The key issue is how get the traffic into the tunnel as you cannot set IPv6 next-hop to IPv4 route. I’m not familiar how to do this in Linux OS but in general if you can set the next-hop to virtual tunnel-interface then you are one step further. Jome ----------------- Jorma Mellin Trustee SIY ry / ISOC Finland Chapter ENISA PSG member jorma@jmellin.net (tel. +358 50 9944762)
On 06 Nov 2018, at 16:49, Gert Doering <gert@space.net> wrote:
Hi,
On Mon, Nov 05, 2018 at 08:18:31PM +0100, Gert Doering wrote:
On Mon, Nov 05, 2018 at 11:39:54AM +0100, Michael Hock wrote:
I'm trying to set up an ipsec server on a linux machine. The connection between clients and server should be IPv6 only but also needs to transport IPv4 packets. However, the linux kernel doesn't seem to support a feature which is required to transport IPv4 packets within an IPv6 ipsec connection, as shown here: https://wiki.strongswan.org/issues/939
Does maybe one of you know how to transport IPv4 packets in an IPv6 ipsec connection, or do we need to wait for the linux kernel to support this feature? Because this stops me from switching to IPv6 ipsec connections and I would like to reduce the usage of IPv4 as much as possible ...
Without wanting to understand whether Linux can actually *do* this, what you generally do is "put an intermediate tunnel header here".
It has been pointed out to me that I read your post upside-down - not "IPv6 over IPv4 IPSEC" was the goal, but "IPv4 (+IPv6) over IPv6 IPSEC".
But the net recommendation is the same - build an outer IPSEC connection over IPv6, set up a tunnel interface to use that, route IPv4 through this second tunnel.
(And, of course, OpenVPN could do IPv4-over-IPv6 over 10+ years ago ;-))
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi all, IPSec tunnel is transparent to IP payload in general, so it is perfectly ok to run IPv4 over IPv6 tunnel. The key issue is how get the traffic into the tunnel as you cannot set IPv6 next-hop to IPv4 route. I’m not familiar how to do this in Linux OS but in general if you can set the next-hop to virtual tunnel-interface then you are one step further. Jome ----------------- Jorma Mellin Trustee SIY ry / ISOC Finland Chapter ENISA PSG member jorma@jmellin.net
On 06 Nov 2018, at 16:49, Gert Doering <gert@space.net> wrote:
Hi,
On Mon, Nov 05, 2018 at 08:18:31PM +0100, Gert Doering wrote:
On Mon, Nov 05, 2018 at 11:39:54AM +0100, Michael Hock wrote:
I'm trying to set up an ipsec server on a linux machine. The connection between clients and server should be IPv6 only but also needs to transport IPv4 packets. However, the linux kernel doesn't seem to support a feature which is required to transport IPv4 packets within an IPv6 ipsec connection, as shown here: https://wiki.strongswan.org/issues/939
Does maybe one of you know how to transport IPv4 packets in an IPv6 ipsec connection, or do we need to wait for the linux kernel to support this feature? Because this stops me from switching to IPv6 ipsec connections and I would like to reduce the usage of IPv4 as much as possible ...
Without wanting to understand whether Linux can actually *do* this, what you generally do is "put an intermediate tunnel header here".
It has been pointed out to me that I read your post upside-down - not "IPv6 over IPv4 IPSEC" was the goal, but "IPv4 (+IPv6) over IPv6 IPSEC".
But the net recommendation is the same - build an outer IPSEC connection over IPv6, set up a tunnel interface to use that, route IPv4 through this second tunnel.
(And, of course, OpenVPN could do IPv4-over-IPv6 over 10+ years ago ;-))
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Am 05.11.18 um 11:39 schrieb Michael Hock:
Hello,
I'm trying to set up an ipsec server on a linux machine. The connection between clients and server should be IPv6 only but also needs to transport IPv4 packets. However, the linux kernel doesn't seem to support a feature which is required to transport IPv4 packets within an IPv6 ipsec connection, as shown here: https://wiki.strongswan.org/issues/939
Does maybe one of you know how to transport IPv4 packets in an IPv6 ipsec connection, or do we need to wait for the linux kernel to support this feature? Because this stops me from switching to IPv6 ipsec connections and I would like to reduce the usage of IPv4 as much as possible ...
I am not sure if I understand you correctly. I am also not very familiar with ipsec and with strongswan. They are on my long to do list...for rainy days. I also know there are thousand kinds of "ipsec". I found a very old script(2013). Some people told me, this kind of ipsec may be obsoleted already. But it makes two things clear to me: you can use ipsec IPv6 as transport with payload IPv4 or IPv4/IPv6. https://gist.github.com/vi/5628320 allows only IPv4-payload, with a little bit rewriting I have got dual stack payload over IPv6. (tested between my work place and my home ISP) I am not sure if it helps you. But I don't see limitations by Linux at the moment. (ok, I did not speak about dual stack transport, but in worst case you can use different instances for that) Regards, Thomas
Am 05.11.18 um 11:39 schrieb Michael Hock:
This is about NAT/NAT64 on ipsec transport. Despite a (im)possible (Linux?) udp encapsulation I wouldn't do that. NAT64 can avoided by IPv6-IPv6 direct connections. and (CG)NAT....
Hi, May be my last comment on that topic. Everything with UDP und ipsec leads to RFC 3948, the workaround for IPv4 and NAT. But for some reasons esp-pakets are also blocked by some ISP via IPv6. One of the questions was if linux supports udp encapsulation. I am not sure, if my thoughts complete nonsense. https://people.netfilter.org/pablo/netdev0.1/papers/UDP-Encapsulation-in-Lin... https://www.netdevconf.org/0.1/docs/herbert-UDP-Encapsulation-Linux.pdf may also useful for ipsec(ESP/AH) over udp over ipv6. If only used in manual configurations or also automated with free/libre/ strongSwan-forks. I don't know. Regards, Thomas
participants (4)
-
Gert Doering -
Jorma Mellin -
Michael Hock -
Thomas Schäfer