# IPv4-over-(IPv6 IPsec tunnel)



## mutemule (Jan 2, 2015)

I'm working on some IPsec tunnels between myself and some remote networks.  I'm using FreeBSD 10.1-RELEASE-p3, while the remote is on a current release of RouterOS (Mikrotik).  We currently have two IPsec links, one IPv4 for IPv4 subnets, and one IPv6 for IPv6 subnets.  IKE is done over IKEv1 with Racoon (we suspect Racoon on both ends).  I am not using any gif(4) interfaces.  This configuration is working just fine.

We're trying to update our configurations so that we have a single set of SAs for the IPv6 endpoints, and route the IPv4 traffic over this tunnel.  This seems to work on the remote end, but does not work on mine.

My policies:

```
spdadd 10.0.0.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/dead::beef-bad::f00d/require;
spdadd 192.168.0.0/24 10.0.0.0/24 any -P in ipsec esp/tunnel/bad::f00d-dead::beef/require;
```
I've been testing by flushing everything and watching local IPsec traffic and racoon logs.  I see that my end correctly initializes Phase 1 negotiation as soon as I ping a remote IPv4 endpoint encompassed by the policy, and the SAs are successfully negotiated and implemented.  However, I do not see any ESP traffic generated as a result of my ICMP traffic, whereas I do see ingress ESP from the remote end when ICMP traffic is generated from a remote subnet.  Note that I seem to not be decrypting this traffic.

I've tried enabling filtertunnel, but it either appears to be broken again, or I just don't know how to enable it, so I don't have full visibility into what's going on in the IPsec innards.  I have also looked over PR 169438 and confirmed it exists in 10.1, and I'm running that code.

Is it possible to route IPv4 traffic over an IPv6 IPsec tunnel?  What am I doing wrong?


----------

