Hello,
I'm messing with IPv6 over IPSEC on ER-X and I obviously need some help...
My goal is to grab a slice (/64) for my local ER-X, of /56 prefix I have on a server hosted in a datacenter. This server is under my control and it runs a Debian 8. StrongSwan is configured on it and it serves a IPv4/IPv6 tunnel to my Roaming devices.
So what I would like to do is to get this /64 locally and advertise it via my ER-X as my ISP doesn't propose IPv6 yet. Also, privacy over the "eyeball-dedicated" pipe the ISP is selling to me.
I don't want IPv4 over the tunnel, just IPv6. And I would like to have it without further encapsulation: raw IPSEC IPv6 support, if possible. (also because this is how my hosted server is currently configured)
And I'm NAT'ed… I can't get ride of the ISP modem/router. The best I can is to put the ER-X in a DMZ and choose a fixed private address from my ER-X's WAN port. My ISP public address is not fixed by contract but it just doesn't change. Yet, I want to avoid to take it into my settings, just in case.
The *only* IPv4 adress I own for sure is the hosted server's one.
As of today, and after messing a while with the CLI layer and some include files, I can reach IPv6 Internet from the ER-X but once my IPSEC tunnel is up, my LAN clients can't ping6 the switch interface anymore, nor they can reach IPv6 internet.
No firewall yet on IPv6 (I have one up and running on the hosted server).
IPSEC on the ER-X seems to route *all* the packets toward ::/0 *or* switch0 is also binded to the IPSEC tunnel. I'm not sure, not skilled enough on the matter, obviously.
Please note I had an hard time to make IPSEC happy while matching Traffic Selectors, the partial presence of IPv4 addresses made him quite picky. I had to put into .conf files far too much IPv6 settings to my taste. Simply put, having only left/right IPv6 subnets properly set both will make it willing to establish a child based on IPv4.
Here are the relevant configuration messy details:
ipsec.conf on the hosted server... (again, it gets a /56)
rekey=no
keyexchange=ikev2
auto=route
type=tunnel
authby=secret
mobike=no
leftid=vpn.hostedserver
left= IPv4_Server,2001:db8:cafe:200::1
leftsubnet=::/0
right=%any
rightid=erx.athome
rightsourceip=2001:db8:cafe:222::254
rightsubnet=2001:db8:cafe:222::/64On the ER-X router...
# show interfaces switch
switch switch0 {
address 10.0.10.1/24
address 2001:db8:cafe:222::1/64
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 1360
managed-flag false
max-interval 300
other-config-flag false
prefix 2001:db8:cafe:222::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}# show protocols
static {
interface-route6 ::/0 {
next-hop-interface eth0 {
}
}
}(It seems IPSEC is doing its own job here but it shouldn't hurt to have it explicitely configured...)On the below, I use include-ipsec-secrets temporarily, to avoid the bug related to remote-id/id.
And I also use include-ipsec-conf to specify IPv6-only subnets as CLI won't allow me such heresy: "VPN configuration error: IPv6 over IPv4 IPsec is not supported". I understand I'm stiing on an edge use case here.
And I also use include-ipsec-conf to specify IPv6-only subnets as CLI won't allow me such heresy: "VPN configuration error: IPv6 over IPv4 IPsec is not supported". I understand I'm stiing on an edge use case here.
# show vpn
ipsec {
auto-firewall-nat-exclude enable
esp-group EdgeOS {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group EdgeOS {
dead-peer-detection {
action restart
interval 30
timeout 60
}
ikev2-reauth no
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 14
encryption aes256
hash sha1
}
}
include-ipsec-conf /config/auth/ipsec.conf
include-ipsec-secrets /config/auth/ipsec.secrets
ipsec-interfaces {
interface eth0
}
site-to-site {
peer IPv4_Server {
authentication {
id erx.athome
mode pre-shared-secret
pre-shared-secret ANiceTemporaySecret
remote-id vpn.hostedserver
}
connection-type initiate
description "Toolbox IPsec VPN"
ike-group EdgeOS
ikev2-reauth inherit
local-address any
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group EdgeOS
}
}
}
}Again, far too much "details" to make a match
cat /config/auth/ipsec.conf
conn %default
leftsubnet=2001:bc8:3c32:222::/64
rightsubnet=::/0
mobike=no
leftsourceip=2001:bc8:3c32:222::254Now some statuses on the ER-X once IPSEC is up...
$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 192.168.1.95/24 u/u WAN
2001:db8:cafe:222::254/128
eth1 - u/D
eth2 - u/u
eth3 - u/D
eth4 - u/D
lo 127.0.0.1/8 u/u
::1/128
switch0 10.0.10.1/24 u/u
2001:db8:cafe:222::1/64#netstat -6 -r Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If ::/0 :: U 1024 0 0 eth0 ::/0 :: !n -1 1 2472 lo 2001:db8:cafe:222::254/128 :: U 256 0 0 eth0 2001:db8:cafe:222::/64 :: U 256 0 0 switch0 fe80::/64 :: U 256 0 0 switch0 fe80::/64 :: U 256 0 0 eth2 fe80::/64 :: U 256 0 0 eth0 ::/0 :: U 1024 0 0 eth0 ::/0 :: !n -1 1 2472 lo ::1/128 :: Un 0 1 12 lo 2001:db8:cafe:222::/128 :: Un 0 1 0 lo 2001:db8:cafe:222::1/128 :: Un 0 1 471 lo 2001:db8:cafe:222::254/128 :: Un 0 1 72 lo fe80::/128 :: Un 0 1 0 lo fe80::/128 :: Un 0 1 0 lo fe80::/128 :: Un 0 1 0 lo fe80::xxxx:xxff:fexx:xxxx/128 :: Un 0 1 0 lo fe80::xxxx:xxff:fexx:xxxx/128 :: Un 0 1 0 lo fe80::xxxx:xxff:fexx:xxxx/128 :: Un 0 1 223 lo ff00::/8 :: U 256 0 0 switch0 ff00::/8 :: U 256 0 0 eth2 ff00::/8 :: U 256 0 0 eth0 ::/0 :: !n -1 1 2472 lo
Extract from ipsec statusall..
Routed Connections:
peer-IPv4_Server-tunnel-0{1}: ROUTED, TUNNEL
peer-IPv4_Server-tunnel-0{1}: 2001:db8:cafe:222::/64 === ::/0
Security Associations (1 up, 0 connecting):
peer-IPv4_Server-tunnel-0[1]: ESTABLISHED 79 minutes ago, 192.168.1.95[erx.athome]...IPv4_Server[vpn.hostedserver]
peer-IPv4_Server-tunnel-0[1]: IKEv2 SPIs: 999999999999_i* 66666666666_r, rekeying in 6 hours
peer-IPv4_Server-tunnel-0[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
peer-IPv4_Server-tunnel-0{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: qwerty_i azerty_o
peer-IPv4_Server-tunnel-0{1}: AES_CBC_256/HMAC_SHA1_96, 4400 bytes_i (55 pkts, 283s ago), 9180 bytes_o (81 pkts, 280s ago), rekeying in 7 minutes
peer-IPv4_Server-tunnel-0{1}: 2001:db8:cafe:222::/64 === ::/0