Re: [pfSense] Why can't we define a point-to-point OpenVPN using only IPv6?

2016-05-24 Thread Chris Buechler 
On Tue, May 24, 2016 at 11:57 AM, Olivier Mascia  wrote:
>> Le 24 mai 2016 à 17:56, Doug Lytle  a écrit :
>>
>>> Is the IPv4 requirement something thats planned to be removed in future
>>> releases?
>>>
>>> I don't assume many people have adopted IPv6 yet.
>>
>> Ensuring stable, robust and complete IPv6 (+IPv4) support was and is
>> the primary goal for 2.4
>>
>> IPv6-only was a non-goal so far, so nobody invested time into it yet -
>> but of course, eventually nobody wants to bother with IPv4 anymore :-)
>>
>> Realistically, though, there's more pressing things to work on - like
>> cipher negotiation (so you can upgrade encryption without having to
>> roll out new configs to all your clients), actually *releasing* 2.4, etc.
>
> You're going too far compared to what I asked: I'm not asking for IPv6 only 
> support.
> It just is that I have a need to create an OpenVPN tunnel between two sites 
> only transporting IPv6

He's just quoting a post to the OpenVPN list on said topic. You can
transport only IPv6 across an OpenVPN tunnel, but you'll need an IPv4
tunnel network defined even if you don't use it. Requirement of
OpenVPN.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Why can't we define a point-to-point OpenVPN using only IPv6?

2016-05-24 Thread Olivier Mascia 
> Le 24 mai 2016 à 17:56, Doug Lytle  a écrit :
> 
>> Is the IPv4 requirement something thats planned to be removed in future
>> releases?
>> 
>> I don't assume many people have adopted IPv6 yet.
> 
> Ensuring stable, robust and complete IPv6 (+IPv4) support was and is
> the primary goal for 2.4
> 
> IPv6-only was a non-goal so far, so nobody invested time into it yet -
> but of course, eventually nobody wants to bother with IPv4 anymore :-)
> 
> Realistically, though, there's more pressing things to work on - like
> cipher negotiation (so you can upgrade encryption without having to
> roll out new configs to all your clients), actually *releasing* 2.4, etc.

You're going too far compared to what I asked: I'm not asking for IPv6 only 
support.
It just is that I have a need to create an OpenVPN tunnel between two sites 
only transporting IPv6 (I have an *other* tunnel using IPsec between these 2 
sites for IPv4, but I'm fixing whatever bugs held me from successfully 
tunneling IPv6 between those two sites through IPsec by adding another IPv6 
only tunnel using OpenVPN.

For sure a world without IPv4 is not for tomorrow, I don't think this is a goal 
in itself either.

Though, IPv6 is *very* important in significant portions of the world *today* 
(and *yesterday* too).
Generally I have no real problems with pfSense with IPv6. The software is 
excellent (and the labeled hardware too).
Except recently between an old 2.2.2 (which I can't upgrade to 2.2.6 or 2.3.x) 
and a 2.3.x which gave me headaches trying to get IPv6 to get through IPsec. I 
finally abandoned the idea of it between those two sites.

Oh side note: since initial post I *could* setup the IPv6-only site-to-site 
tunnel. I just had to trick, giving OpenVPN an IPv4 tunnel subnet as it 
insisted for, but did not declare any local or remote IPv4 subnets (to route 
between sites). Works for me, both tunnels (IPsec IPv4 and OpenVPN IPv6) are 
now happily living next to each other.  That's a temporary solution for 1 to 3 
months, then the old site with 2.2.2 will disappear. Of course the downside of 
this trick is that my IPv6 traffic is so much slower through OpenVPN than 
through IPsec. It is even asymmetric: A to B is 10 times faster (about 200 
Mbps) than B to A (about 20 Mbps when sun shines, ~15 Mbps in other times) 
through the OpenVPN tunnel. The IPv4 is much better served through the IPsec 
tunnel (similar speeds both ways, and they're at about 500 Mbps, sometimes a 
little bit higher.  I know from a previous discussion here why this speed 
difference between IPsec and OpenVPN.

Thanks !
-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Why can't we define a point-to-point OpenVPN using only IPv6?

2016-05-24 Thread Doug Lytle 
The below was recently posted on the OpenVPN mailing list:

"Hi,

On Wed, May 04, 2016 at 03:44:45PM -0400, Ryan Whelan wrote:
> Is the IPv4 requirement something thats planned to be removed in future
> releases?
> 
> I don't assume many people have adopted IPv6 yet.

Ensuring stable, robust and complete IPv6 (+IPv4) support was and is
the primary goal for 2.4

IPv6-only was a non-goal so far, so nobody invested time into it yet -
but of course, eventually nobody wants to bother with IPv4 anymore :-)

Realistically, though, there's more pressing things to work on - like
cipher negotiation (so you can upgrade encryption without having to
roll out new configs to all your clients), actually *releasing* 2.4, etc.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany"
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold