I am trying to run ipsec tunnels between my home network and my VM.
So I gave the VPN Faq a good look. I have iked running on my router and my VM (both OpenBSD amd64 machines). And I can ping ipv4 private adresses from the VM. So I will assume that part is doing great (the opposite is working too).
Trouble is I cannot get it working on ipv6 eventhough I applied the same logic. And I am not sure the tunnel is used to carry the traffic between the two (there should be log entries from the VM in my main server logs. Nope).
I have (or want to have) backup, mail, dns and logging traffic between the VM and my main server which resides in my home network.
Here is iked.conf on my home router :
Code:
ip_dina= "89.234.141.151"
ikev2 'mirror.22decembre.eu' passive esp \
from 2a06:4001:c7:e2::/64 to 2a00:5881:8110:2100::/64 \
from 2a06:4001:c7:e2::/64 to 2a00:5881:8110:2100::2 \
local 2a06:4000:10::c7 peer 2a00:5881:8110:2100::2 \
dstid dina.22decembre.eu \
rsa
ikev2 'mirrorv4' passive esp \
from 10.0.0.0/16 to 10.2.0.0/16 \
from 10.0.0.0/16 to $ip_dina \
local $ip_mirror peer $ip_dina \
dstid dina.22decembre.eu \
rsa
And here is iked.conf on the VM :
Code:
ip_dina= "89.234.141.151"
ip_mirror= "212.237.177.102"
ip6_dina="2a00:5881:8110:2100::2"
ip6_mirror="2a06:4000:10::c7"
ikev2 'dina.22decembre.eu' active esp \
from 2a00:5881:8110:2100::/64 to 2a06:4001:c7:e2::/64 \
from $ip6_dina to 2a06:4001:c7:e2::/64 \
local $ip6_dina peer $ip6_mirror \
dstid mirror.22decembre.eu \
rsa
ikev2 'dinav4' active esp \
from 10.2.0.0/16 to 10.0.0.0/16 \
from $ip_dina to 10.0.0.0/16 \
local $ip_dina peer $ip_mirror \
dstid mirror.22decembre.eu \
rsa
And indeed :
Code:
stephane@dina:/home/stephane doas ipsecctl -sa
doas (stephane@dina.22decembre.eu) password:
FLOWS:
flow esp in from 10.0.0.0/16 to 10.2.0.0/16 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp in from 10.0.0.0/16 to 89.234.141.151 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp out from 10.2.0.0/16 to 10.0.0.0/16 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp out from 89.234.141.151 to 10.0.0.0/16 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
SAD:
esp tunnel from 89.234.141.151 to 212.237.177.102 spi 0xab1351bc auth hmac-sha2-256 enc aes-256
esp tunnel from 212.237.177.102 to 89.234.141.151 spi 0xbce17b24 auth hmac-sha2-256 enc aes-256
stephane@dina:/home/stephane ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=254 time=27.861 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=254 time=27.363 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=254 time=29.871 ms
^C
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 27.363/28.365/29.871/1.084 ms
But I don't see traffic through it nor can I figure out why ipv6 does not show up.
Thank you for help in advance.