Hi,
I'm seeing strange effects when trying to tunnel ipv6 via an working
ipv4-Ipsec Connection.
Let me first explain my setup:
There is a home network, equipped with 192.168.10.0/24. This network is
connected to the Internet using a FreeBSD 5.2 Router. The internal nic
has 192.168.10.254 assigned and the machine is connected to the Internet
using a tun Interface.
The remote machine has one Network Interface connected to the Internet.
The address 192.168.11.1 is bound on lo, additional to 127.0.0.1. It is
running a 2.6.0 kernel using kernel ipsec. Keying is done using racoon
on both sides.
Between both machines an ipsec-tunnel connecting 192.168.10.0/24 and
192.168.11.0/24 is established an proved working. I can ping and telnet
from 192.168.10.x to 192.168.11.1 and vice versa. Communication uses ESP
as expected. There's an mtu problem (the linux box is ignoring pmtu-packets)
but this is not my point here and fixed at the moment setting the mtu
manually.
Now the not working part:
The Fbsd machine @home is equipped with an gif interface. The local
endpoint is 192.168.10.254 and the remote endpoint is 192.168.11.1.
On the linux box, there is an sit-tunnel with local endpoint
192.168.11.1 and remote endpoint 192.168.10.254. Both endoints share an
IPv6 Transfer-Net.
When I'm trying to ping the V6-IP on the Linux Box from the FreeBSD
machine i'm seeing the following: Only ESp protected packets are leaving
the FreeBSD-Box. I'm able to see the esp Packets arriving at the Linux
Bocks. Tcpdumpding on the Tunnel-Interface, I'm seeing the V6 Echo
Requests and the Echo replies generated. But when sniffing on the
external interface, I'm seeing the encapsulated traffic leaving the
machine unencrypted! (With the correct source (192.168.11.1) and
destination address (192.168.10.254)).
Why aren't these packets included in my IPSec Tunnel?
When I'm doing ping -I 192.168.11.1 192.168.10.254, the traffic leaves
the machine encrypted as expected...
setkey -D on the Linux Box shows
192.168.10.0/24[any] 192.168.11.0/24[any] any
in ipsec
esp/tunnel/<IP-A>-<IP-B>/require
created: Jan 10 14:22:47 2004 lastused:
lifetime: 3600(s) validtime: 0(s)
spid=6128 seq=21 pid=1383
refcnt=2
192.168.11.0/24[any] 192.168.10.0/24[any] any
out ipsec
esp/tunnel/<IP-B>-<IP-A>/require
created: Jan 10 14:22:47 2004 lastused:
lifetime: 3600(s) validtime: 0(s)
spid=6137 seq=20 pid=1383
refcnt=2
I have left out other configurations to keep this mail small, but I'll
be happy to provide any informations necessary to sort this issue out.
Greetings,
Thorsten
--
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
