# Tunneling IPv4 over IPv6 VPN



## gkontos (Jan 31, 2013)

I am trying to tunnel IPv4 traffic over an IPv6 VPN. So far it is unsuccessful. 

Both machines are running FreeBSD 9.1-RELEASE. They are acting as gateways and they both have assigned /64 IPv6 subnets. The purpose is to encapsulate the non routable IPv4 traffic behind those gateways into the IPv6 VPN.

For the sake of simplicity I will present the configuration of the first machine. The second has exactly the reverse. (Kernels are compiled with IPsec)

[CMD=""]#ifconfig gif0 create[/CMD]
[CMD=""]#ifconfig gif0 ipv6 tunnel xxxx:fc50:1001:5f00::86 xxxx:580:8f00:2c00::2093[/CMD]
[CMD=""]#ifconfig gif0 alias 10.10.10.4 10.1.1.3 [/CMD]

The tunnel comes up, machine a can ping machine b and vice versa.

[CMD=""]> ping 10.1.1.3[/CMD]

```
PING 10.1.1.3 (10.1.1.3): 56 data bytes
64 bytes from 10.1.1.3: icmp_seq=0 ttl=64 time=187.772 ms
64 bytes from 10.1.1.3: icmp_seq=1 ttl=64 time=184.516 ms
64 bytes from 10.1.1.3: icmp_seq=2 ttl=64 time=185.563 ms
```

security/ipsec-tools comes in to create the actual IPsec connection.

setkey.conf:


```
flush;
spdflush;
spdadd 10.1.1.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/xxxx:fc50:1001:5f00::86-xxxx:580:8f00:2c00::2093/use;
spdadd 10.10.10.0/24 10.1.1.0/24 any -P in ipsec esp/tunnel/xxxx:580:8f00:2c00::2093-xxxx:fc50:1001:5f00::86/use;
```

racoon.conf:


```
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;

padding # options are not to be changed
{
maximum_length 20; # maximum padding length
randomize off; # enable randomize length
strict_check off; # enable strict check
exclusive_tail off; # extract last one octet
}

listen # address [port] that racoon will listening on
{
isakmp xxxx:580:8f00:2c00::2093 [500];
}

timer # timing options. change as needed
{
counter 5; # maximum trying count to send
interval 20 sec; # maximum interval to resend
persend 1; # the number of packets per a send
phase1 60 sec;
phase2 25 sec;
}

remote xxxx:fc50:1001:5f00::86 [500]
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
lifetime time 8 hour;
initial_contact on;
passive off;
proposal_check obey;
generate_policy off;

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}

}

sainfo anonymous
{
pfs_group 5;
lifetime time 12 hour ;
encryption_algorithm blowfish,3des,des;
# authentication_algorithm hmac_md5,hmac_sha1;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
```

Once the IPsec is established:


```
2013-01-31 18:02:20: DEBUG: KEYMAT computed.
2013-01-31 18:02:20: DEBUG: call pk_sendupdate
2013-01-31 18:02:20: DEBUG: encryption(blowfish)
2013-01-31 18:02:20: DEBUG: hmac(sha1)
2013-01-31 18:02:20: DEBUG: call pfkey_send_update2
2013-01-31 18:02:20: DEBUG: pfkey update sent.
2013-01-31 18:02:20: DEBUG: encryption(blowfish)
2013-01-31 18:02:20: DEBUG: hmac(sha1)
2013-01-31 18:02:20: DEBUG: call pfkey_send_add2 (NAT flavor)
2013-01-31 18:02:20: DEBUG: call pfkey_send_add2
2013-01-31 18:02:20: DEBUG: pfkey add sent.
2013-01-31 18:02:20: DEBUG: pk_recv: retry[0] recv() 
2013-01-31 18:02:20: DEBUG: got pfkey UPDATE message
2013-01-31 18:02:20: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel xxxx:580:8f00:2c00::2093[500]->
xxxx:fc50:1001:5f00::86[500] spi=15238148(0xe88404)
2013-01-31 18:02:20: INFO: IPsec-SA established: ESP/Tunnel xxxx:580:8f00:2c00::2093[500]->
xxxx:fc50:1001:5f00::86[500] spi=15238148(0xe88404)
2013-01-31 18:02:20: DEBUG: ===
2013-01-31 18:02:20: DEBUG: pk_recv: retry[0] recv() 
2013-01-31 18:02:20: DEBUG: got pfkey ADD message
2013-01-31 18:02:20: INFO: IPsec-SA established: ESP/Tunnel xxxx:580:8f00:2c00::2093[500]->
xxxx:fc50:1001:5f00::86[500] spi=109946295(0x68da5b7)
2013-01-31 18:02:20: DEBUG: ===
```

I can only ping the IPv6 endpoints. The IPv4 simply time outs. I run a tcpdump but didn't see anything that it could assist me. I suspect that my problem is in the spd policies. I also run into an older PR which looks similar. The ipsec_output.c though seems different in that part.

Any help will be appreciated!


----------



## gkontos (Feb 2, 2013)

*SOLVED:*

setkey.conf


```
flush;
spdflush;
spdadd xxxx:580:8f00:2c00::2093 xxxx:fc50:1001:5f00::86 any -P out ipsec esp/[B]transport[/B]//require;
spdadd xxxx:fc50:1001:5f00::86 xxxx:580:8f00:2c00::2093 any -P in ipsec esp/[B]transport[/B]//require;
```


----------

