This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[ipv6-wg] IPv6 ipsec tunnel server on linux server
- Previous message (by thread): [ipv6-wg] IPv6 ipsec tunnel server on linux server
- Next message (by thread): [ipv6-wg] IPv6 ipsec tunnel server on linux server
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Mon Nov 5 20:18:31 CET 2018
Hi, On Mon, Nov 05, 2018 at 11:39:54AM +0100, Michael Hock wrote: > I'm trying to set up an ipsec server on a linux machine. The connection > between clients and server should be IPv6 only but also needs to transport > IPv4 packets. > However, the linux kernel doesn't seem to support a feature which is > required to transport IPv4 packets within an IPv6 ipsec connection, as > shown here: > https://wiki.strongswan.org/issues/939 > > Does maybe one of you know how to transport IPv4 packets in an IPv6 ipsec > connection, or do we need to wait for the linux kernel to support this > feature? Because this stops me from switching to IPv6 ipsec connections and > I would like to reduce the usage of IPv4 as much as possible ... Without wanting to understand whether Linux can actually *do* this, what you generally do is "put an intermediate tunnel header here". So, you set up an IPv4 tunnel, with inside IPv4 addresses left and right. Then you set up an ipv6ip (proto-41) or gre tunnel, that uses said IPv4 addresses as "tunnel source" and "tunnel destination" (tunnel endpoints). *Then* you configure and route your IPv6 into the second tunnel. If all works nicely together, the IPv6 packet will then first be encapsulated into IPv4 directly or in GRE-over-IPv4, and the resulting IPv4 packet will then be IPSEC encapsulated and sent out. Now, I have no idea whether Linux can actually do that, or it will refuse the "double internal encapsulation" bit. Or if you can tell it how to nicely IPSEC-encapsulate only the relevant tunnel packets. *I* just use OpenVPN, which learned to transport IPv6 over IPv4 roughly 9 years ago... :-) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: </ripe/mail/archives/ipv6-wg/attachments/20181105/4d6663ca/attachment.sig>
- Previous message (by thread): [ipv6-wg] IPv6 ipsec tunnel server on linux server
- Next message (by thread): [ipv6-wg] IPv6 ipsec tunnel server on linux server
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]