On Tue, Jul 03, 2018 at 12:47:20PM +0200, [email protected] wrote: > >Synopsis: iked installs ipsec flow which prevents inet6 communication > >Category: system > >Environment: > System : OpenBSD 6.3 > Details : OpenBSD 6.3-current (GENERIC.MP) #80: Sun Jul 1 > 12:22:16 MDT 2018 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > Architecture: OpenBSD.amd64 > Machine : amd64 > >Description: > iked(8), if configured for IPv4 only - or even not configured at all > installs the following ipsec flow upon startup: > flow esp out from ::/0 to ::/0 type deny > This flow effectively prevents any further IPv6 communication. > Noticed this when I configured iked(8) as (IPv4) VPN gateway on my > home router. Basically the whole IPv6 networking broke. > I noticed this behaviour on 6.3, but it affects -current as well. > >How-To-Repeat: > ipsecctl -s flow > touch /etc/iked.conf && chmod 600 /etc/iked.conf > iked -dv > ^C > ipsecctl -s flow > >Fix: > Do not use iked, if using inet6. > "ipsecctl -F" or something more specific after startup might work too. >
Not a bug. This behaviour is intentional and avoids VPN traffic leakage. See RFC 7359 and the iked(8) man page. Use the -6 option (risks leakage), or configure explicit flows for your IPv6 networks. ---------------------------- revision 1.14 date: 2012/11/29 15:08:08; author: reyk; state: Exp; lines: +6 -3; Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked. Thanks to Fernando Gont. ok mikeb@ =============================================================================
