Am 05.11.18 um 11:39 schrieb Michael Hock:
Hello,
I'm trying to set up an ipsec server on a linux machine. The
connection between clients and server should be IPv6 only but also
needs to transport IPv4 packets.
However, the linux kernel doesn't seem to support a feature which is
required to transport IPv4 packets within an IPv6 ipsec connection, as
shown here:
https://wiki.strongswan.org/issues/939
Does maybe one of you know how to transport IPv4 packets in an IPv6
ipsec connection, or do we need to wait for the linux kernel to
support this feature? Because this stops me from switching to IPv6
ipsec connections and I would like to reduce the usage of IPv4 as much
as possible ...
I am not sure if I understand you correctly. I am also not very familiar
with ipsec and with strongswan. They are on my long to do list...for
rainy days.
I also know there are thousand kinds of "ipsec". I found a very old
script(2013). Some people told me, this kind of ipsec may be obsoleted
already. But it makes two things clear to me: you can use ipsec IPv6 as
transport with payload IPv4 or IPv4/IPv6.
https://gist.github.com/vi/5628320
allows only IPv4-payload, with a little bit rewriting I have got dual
stack payload over IPv6. (tested between my work place and my home ISP)
I am not sure if it helps you. But I don't see limitations by Linux at
the moment. (ok, I did not speak about dual stack transport, but in
worst case you can use different instances for that)
Regards,
Thomas
--- simplevpn 2013-05-22 17:54:10.000000000 +0200
+++ simplevpn-n 2018-11-06 14:53:13.679887350 +0100
@@ -23,7 +23,7 @@
if [ "$1" == "-6" ]; then
shift;
- MODE=ipip6
+ MODE=any
PROT="-6"
fi
@@ -41,6 +41,8 @@
true ${LOCALIP:="192.168.77.1"}
true ${REMOTEIP:="192.168.77.2"}
+true ${LOCALIP6:="fd00:1::1"}
+true ${REMOTEIP6:="fd00:1::2"}
true ${DEVNAME:="simplevpn"}
# 4 is encapsulated IPv4 both in IPv4 an IPv6
@@ -62,7 +64,8 @@
ip link set $DEVNAME up
ip -4 addr add $LOCALIP/32 dev $DEVNAME
ip -4 route add $REMOTEIP/32 dev $DEVNAME
-
+ip -6 addr add $LOCALIP6/128 dev $DEVNAME
+ip -6 route add $REMOTEIP6/128 dev $DEVNAME
"$@" << EOF
set -e
@@ -85,4 +88,6 @@
ip link set $DEVNAME up
ip -4 addr add $REMOTEIP/32 dev $DEVNAME
ip -4 route add $LOCALIP/32 dev $DEVNAME
+ ip -6 addr add $REMOTEIP6/128 dev $DEVNAME
+ ip -6 route add $LOCALIP6/128 dev $DEVNAME
EOF
\ Kein Zeilenumbruch am Dateiende.
