Hi people,
I am having a few problems getting routing of IPv6 over IPSec to work. I
have two nodes, one is a server, one is my laptop. On the server, I have
IPv6 access over a gif interface. There is a /64 routed to the server,
which I want to use on my laptop.
I have now set up an IPSec tunnel between my laptop and the server, with
the following configuration, in /etc/ipsec.conf:
# on my laptop
unobtanium_v6 = "2001:470:1f0b:1d3::/64"
ike esp from any to $unobtanium_v6 peer unobtanium.de \
main auth hmac-sha1 enc aes-256 \
quick auth hmac-sha1 enc aes-256 \
psk "secretkey" \
tag IPSEC-UNO
# on the server
unobtanium_v6 = "2001:470:1f0b:1d3::/64"
ike passive esp from $unobtanium_v6 to any \
main auth hmac-sha1 enc aes-256 \
quick auth hmac-sha1 enc aes-256 \
psk "Sahpeque2quieC8e" \
tag IPSEC-UNO
The link between both machines seems to be up and running. On both
machines, I have configured a bridge with the link2 flag set, which
according to the manpage causes IPSec traffic to be sent over the
bridge. The bridges each have a vether device in them, with addresses in
the subnet in the ipsec.conf.
Pinging the other side of the tunnel works fine, as does other direct
traffic, but only if it does not originate from the link-local address
of the vether device.
Using tcpdump on pflog0 with a "pass log inet6" in /etc/pf.conf, does
not show anything. Shouldn't traffic at least show up in pf?
What did I miss? Using "from any to any" does not change the situation
at hand.
--
Gregor Best
