ipsec tunnels (ipv4/6)

[22decembre]

I am trying to run ipsec tunnels between my home network and my VM.

So I gave the VPN Faq a good look. I have iked running on my router and my VM (both OpenBSD amd64 machines). And I can ping ipv4 private adresses from the VM. So I will assume that part is doing great (the opposite is working too).

Trouble is I cannot get it working on ipv6 eventhough I applied the same logic. And I am not sure the tunnel is used to carry the traffic between the two (there should be log entries from the VM in my main server logs. Nope).

I have (or want to have) backup, mail, dns and logging traffic between the VM and my main server which resides in my home network.

Here is iked.conf on my home router :

Code:

ip_dina= "89.234.141.151"

ikev2 'mirror.22decembre.eu' passive esp \
        from 2a06:4001:c7:e2::/64 to 2a00:5881:8110:2100::/64 \
        from 2a06:4001:c7:e2::/64 to 2a00:5881:8110:2100::2 \
        local 2a06:4000:10::c7 peer 2a00:5881:8110:2100::2 \
        dstid dina.22decembre.eu \
        rsa

ikev2 'mirrorv4' passive esp \
        from 10.0.0.0/16 to 10.2.0.0/16 \
        from 10.0.0.0/16 to $ip_dina \
        local $ip_mirror peer $ip_dina \
        dstid dina.22decembre.eu \
        rsa

And here is iked.conf on the VM :

Code:

ip_dina= "89.234.141.151"
ip_mirror= "212.237.177.102"
ip6_dina="2a00:5881:8110:2100::2"
ip6_mirror="2a06:4000:10::c7"

ikev2 'dina.22decembre.eu' active esp \
        from 2a00:5881:8110:2100::/64 to 2a06:4001:c7:e2::/64 \
        from  $ip6_dina  to 2a06:4001:c7:e2::/64 \
        local $ip6_dina peer $ip6_mirror \
        dstid mirror.22decembre.eu \
        rsa

ikev2 'dinav4' active esp \
        from  10.2.0.0/16  to 10.0.0.0/16 \
        from $ip_dina to 10.0.0.0/16 \
        local $ip_dina peer $ip_mirror \
        dstid mirror.22decembre.eu \
        rsa

And indeed :

Code:

stephane@dina:/home/stephane doas ipsecctl -sa
doas (stephane@dina.22decembre.eu) password:
FLOWS:
flow esp in from 10.0.0.0/16 to 10.2.0.0/16 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp in from 10.0.0.0/16 to 89.234.141.151 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp out from 10.2.0.0/16 to 10.0.0.0/16 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp out from 89.234.141.151 to 10.0.0.0/16 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require

SAD:
esp tunnel from 89.234.141.151 to 212.237.177.102 spi 0xab1351bc auth hmac-sha2-256 enc aes-256
esp tunnel from 212.237.177.102 to 89.234.141.151 spi 0xbce17b24 auth hmac-sha2-256 enc aes-256
stephane@dina:/home/stephane ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=254 time=27.861 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=254 time=27.363 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=254 time=29.871 ms
^C
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 27.363/28.365/29.871/1.084 ms

But I don't see traffic through it nor can I figure out why ipv6 does not show up.

Thank you for help in advance.

[jggimi]

I can't help directly, but I noticed a recent change to IPv6 with iked(8) in the Following -current FAQ. As of January 10, automatic blocking of unencrkypted IPv6 was removed. Are you running -current?

[22decembre]

The VM at least is. Should I migrate the router to current too in order to avoid misconfiguration there too ?

[jggimi]

This is a change in function for unencrypted packets. I don't know enough about iked() to know if there would be any difference.