ipv6 via ipsec tunnel

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

ipv6 via ipsec tunnel

Otto Moerbeek
Hi,

So i have a little IPv6 problem.

I have a machine in colocation that has IPv6. I have my home cable
modem connection that does not have it.

So I thought: I make my own tunnel. First I tried gif(4), that worked,
but only after some fighting with mtu settings on all hosts on my home
net via rad.  Performance was kinda bad. So I'm looking for an
alternative. I thougt: IPSEC should be able to do this.

I have a flow from my locally created IPv6 net to any and vice versa.
THe flow itself works.

There I ran into the trouble that you cannot specify a default
gateway, since my remote gw (the host in colo) it is not reachable
according to route(8).

How does one solve the default route problem?  I never really
understood how routing works in the presense of IPSEC flows.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: ipv6 via ipsec tunnel

Claudio Jeker
On Thu, Mar 14, 2019 at 10:36:58AM +0100, Otto Moerbeek wrote:

> Hi,
>
> So i have a little IPv6 problem.
>
> I have a machine in colocation that has IPv6. I have my home cable
> modem connection that does not have it.
>
> So I thought: I make my own tunnel. First I tried gif(4), that worked,
> but only after some fighting with mtu settings on all hosts on my home
> net via rad.  Performance was kinda bad. So I'm looking for an
> alternative. I thougt: IPSEC should be able to do this.
>
> I have a flow from my locally created IPv6 net to any and vice versa.
> THe flow itself works.
>
> There I ran into the trouble that you cannot specify a default
> gateway, since my remote gw (the host in colo) it is not reachable
> according to route(8).
>
> How does one solve the default route problem?  I never really
> understood how routing works in the presense of IPSEC flows.
>

IPSec flows steal the traffic away before it is being sent out. You still
need routes in place to get to this point though. In your case adding a
dummy default route should work. Never tried but I think you should be
able to use the loopback for this and add a route like 'route add -inet6
default ::1' also don't forget to enable net.inet6.ip6.forwarding

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: ipv6 via ipsec tunnel

Janne Johansson-3
Den tors 14 mars 2019 kl 10:48 skrev Claudio Jeker <[hidden email]>:
> On Thu, Mar 14, 2019 at 10:36:58AM +0100, Otto Moerbeek wrote:
> > How does one solve the default route problem?  I never really
> > understood how routing works in the presense of IPSEC flows.
>
> IPSec flows steal the traffic away before it is being sent out. You still
> need routes in place to get to this point though. In your case adding a
> dummy default route should work. Never tried but I think you should be
> able to use the loopback for this and add a route like 'route add -inet6
> default ::1' also don't forget to enable net.inet6.ip6.forwarding

I remember having to do exactly this for a similar scenario long time
ago to bring
ipv6 home over a v4-only setup.

--
May the most significant bit of your life be positive.

Reply | Threaded
Open this post in threaded view
|

Re: ipv6 via ipsec tunnel

Otto Moerbeek
In reply to this post by Claudio Jeker
On Thu, Mar 14, 2019 at 10:43:03AM +0100, Claudio Jeker wrote:

> On Thu, Mar 14, 2019 at 10:36:58AM +0100, Otto Moerbeek wrote:
> > Hi,
> >
> > So i have a little IPv6 problem.
> >
> > I have a machine in colocation that has IPv6. I have my home cable
> > modem connection that does not have it.
> >
> > So I thought: I make my own tunnel. First I tried gif(4), that worked,
> > but only after some fighting with mtu settings on all hosts on my home
> > net via rad.  Performance was kinda bad. So I'm looking for an
> > alternative. I thougt: IPSEC should be able to do this.
> >
> > I have a flow from my locally created IPv6 net to any and vice versa.
> > THe flow itself works.
> >
> > There I ran into the trouble that you cannot specify a default
> > gateway, since my remote gw (the host in colo) it is not reachable
> > according to route(8).
> >
> > How does one solve the default route problem?  I never really
> > understood how routing works in the presense of IPSEC flows.
> >
>
> IPSec flows steal the traffic away before it is being sent out. You still
> need routes in place to get to this point though. In your case adding a
> dummy default route should work. Never tried but I think you should be
> able to use the loopback for this and add a route like 'route add -inet6
> default ::1' also don't forget to enable net.inet6.ip6.forwarding
>
> --
> :wq Claudio
>

Indeed, that seems to work. Thanks,

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: ipv6 via ipsec tunnel

Claudio Jeker
On Thu, Mar 14, 2019 at 11:46:10AM +0100, Otto Moerbeek wrote:

> On Thu, Mar 14, 2019 at 10:43:03AM +0100, Claudio Jeker wrote:
>
> > On Thu, Mar 14, 2019 at 10:36:58AM +0100, Otto Moerbeek wrote:
> > > Hi,
> > >
> > > So i have a little IPv6 problem.
> > >
> > > I have a machine in colocation that has IPv6. I have my home cable
> > > modem connection that does not have it.
> > >
> > > So I thought: I make my own tunnel. First I tried gif(4), that worked,
> > > but only after some fighting with mtu settings on all hosts on my home
> > > net via rad.  Performance was kinda bad. So I'm looking for an
> > > alternative. I thougt: IPSEC should be able to do this.
> > >
> > > I have a flow from my locally created IPv6 net to any and vice versa.
> > > THe flow itself works.
> > >
> > > There I ran into the trouble that you cannot specify a default
> > > gateway, since my remote gw (the host in colo) it is not reachable
> > > according to route(8).
> > >
> > > How does one solve the default route problem?  I never really
> > > understood how routing works in the presense of IPSEC flows.
> > >
> >
> > IPSec flows steal the traffic away before it is being sent out. You still
> > need routes in place to get to this point though. In your case adding a
> > dummy default route should work. Never tried but I think you should be
> > able to use the loopback for this and add a route like 'route add -inet6
> > default ::1' also don't forget to enable net.inet6.ip6.forwarding
> >
> > --
> > :wq Claudio
> >
>
> Indeed, that seems to work. Thanks,
>

You may need to use pf to block the routed IPv6 traffic on the loopback
or you may end up with a routing loop when the IPsec flow is not present.
You can use a 2nd loopback or maybe even a vether(4) and use the link
local address as the default gateway then dropping this traffic should be
trivial.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: ipv6 via ipsec tunnel

Sebastian Benoit-3
Claudio Jeker([hidden email]) on 2019.03.14 11:53:29 +0100:

> On Thu, Mar 14, 2019 at 11:46:10AM +0100, Otto Moerbeek wrote:
> > On Thu, Mar 14, 2019 at 10:43:03AM +0100, Claudio Jeker wrote:
> >
> > > On Thu, Mar 14, 2019 at 10:36:58AM +0100, Otto Moerbeek wrote:
> > > > Hi,
> > > >
> > > > So i have a little IPv6 problem.
> > > >
> > > > I have a machine in colocation that has IPv6. I have my home cable
> > > > modem connection that does not have it.
> > > >
> > > > So I thought: I make my own tunnel. First I tried gif(4), that worked,
> > > > but only after some fighting with mtu settings on all hosts on my home
> > > > net via rad.  Performance was kinda bad. So I'm looking for an
> > > > alternative. I thougt: IPSEC should be able to do this.
> > > >
> > > > I have a flow from my locally created IPv6 net to any and vice versa.
> > > > THe flow itself works.
> > > >
> > > > There I ran into the trouble that you cannot specify a default
> > > > gateway, since my remote gw (the host in colo) it is not reachable
> > > > according to route(8).
> > > >
> > > > How does one solve the default route problem?  I never really
> > > > understood how routing works in the presense of IPSEC flows.
> > > >
> > >
> > > IPSec flows steal the traffic away before it is being sent out. You still
> > > need routes in place to get to this point though. In your case adding a
> > > dummy default route should work. Never tried but I think you should be
> > > able to use the loopback for this and add a route like 'route add -inet6
> > > default ::1' also don't forget to enable net.inet6.ip6.forwarding
> > >
> > > --
> > > :wq Claudio
> > >
> >
> > Indeed, that seems to work. Thanks,
> >
>
> You may need to use pf to block the routed IPv6 traffic on the loopback
> or you may end up with a routing loop when the IPsec flow is not present.
> You can use a 2nd loopback or maybe even a vether(4) and use the link
> local address as the default gateway then dropping this traffic should be
> trivial.

Why not "route add -inet6 default ::1 -blackhole" ?

>
> --
> :wq Claudio
>

Reply | Threaded
Open this post in threaded view
|

Re: ipv6 via ipsec tunnel

Claudio Jeker-3
On Thu, Mar 14, 2019 at 09:06:12PM +0100, Sebastian Benoit wrote:

> Claudio Jeker([hidden email]) on 2019.03.14 11:53:29 +0100:
> > On Thu, Mar 14, 2019 at 11:46:10AM +0100, Otto Moerbeek wrote:
> > > On Thu, Mar 14, 2019 at 10:43:03AM +0100, Claudio Jeker wrote:
> > >
> > > > On Thu, Mar 14, 2019 at 10:36:58AM +0100, Otto Moerbeek wrote:
> > > > > Hi,
> > > > >
> > > > > So i have a little IPv6 problem.
> > > > >
> > > > > I have a machine in colocation that has IPv6. I have my home cable
> > > > > modem connection that does not have it.
> > > > >
> > > > > So I thought: I make my own tunnel. First I tried gif(4), that worked,
> > > > > but only after some fighting with mtu settings on all hosts on my home
> > > > > net via rad.  Performance was kinda bad. So I'm looking for an
> > > > > alternative. I thougt: IPSEC should be able to do this.
> > > > >
> > > > > I have a flow from my locally created IPv6 net to any and vice versa.
> > > > > THe flow itself works.
> > > > >
> > > > > There I ran into the trouble that you cannot specify a default
> > > > > gateway, since my remote gw (the host in colo) it is not reachable
> > > > > according to route(8).
> > > > >
> > > > > How does one solve the default route problem?  I never really
> > > > > understood how routing works in the presense of IPSEC flows.
> > > > >
> > > >
> > > > IPSec flows steal the traffic away before it is being sent out. You still
> > > > need routes in place to get to this point though. In your case adding a
> > > > dummy default route should work. Never tried but I think you should be
> > > > able to use the loopback for this and add a route like 'route add -inet6
> > > > default ::1' also don't forget to enable net.inet6.ip6.forwarding
> > > >
> > > > --
> > > > :wq Claudio
> > > >
> > >
> > > Indeed, that seems to work. Thanks,
> > >
> >
> > You may need to use pf to block the routed IPv6 traffic on the loopback
> > or you may end up with a routing loop when the IPsec flow is not present.
> > You can use a 2nd loopback or maybe even a vether(4) and use the link
> > local address as the default gateway then dropping this traffic should be
> > trivial.
>
> Why not "route add -inet6 default ::1 -blackhole" ?
>

Because that would drop the packets in the forwarding path before hitting
the ipsec code. At least I thought this was the case. If that works even
better :)

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: ipv6 via ipsec tunnel

David Gwynne-5
In reply to this post by Otto Moerbeek


> On 14 Mar 2019, at 19:36, Otto Moerbeek <[hidden email]> wrote:
>
> Hi,
>
> So i have a little IPv6 problem.
>
> I have a machine in colocation that has IPv6. I have my home cable
> modem connection that does not have it.
>
> So I thought: I make my own tunnel. First I tried gif(4), that worked,
> but only after some fighting with mtu settings on all hosts on my home
> net via rad.  Performance was kinda bad. So I'm looking for an
> alternative. I thougt: IPSEC should be able to do this.
>
> I have a flow from my locally created IPv6 net to any and vice versa.
> THe flow itself works.
>
> There I ran into the trouble that you cannot specify a default
> gateway, since my remote gw (the host in colo) it is not reachable
> according to route(8).
>
> How does one solve the default route problem?  I never really
> understood how routing works in the presense of IPSEC flows.

Can you elaborate on what gif and slow meant? Also, you should be able to use gif with whatever MTU you want, even 1500 on the gif interface and fragments over the internet. You could also try gre, but I doubt it would be different to gif in terms of performance and support for MTU/fragmentation.

If you want ipsec and routes, you would still use tunnel and get IPsec to protect it. Or you could trick someone into making something like Cisco's vti a thing in OpenBSD.

dlg

Reply | Threaded
Open this post in threaded view
|

Re: ipv6 via ipsec tunnel

Otto Moerbeek
On Fri, Mar 15, 2019 at 04:15:55PM +1000, David Gwynne wrote:

>
>
> > On 14 Mar 2019, at 19:36, Otto Moerbeek <[hidden email]> wrote:
> >
> > Hi,
> >
> > So i have a little IPv6 problem.
> >
> > I have a machine in colocation that has IPv6. I have my home cable
> > modem connection that does not have it.
> >
> > So I thought: I make my own tunnel. First I tried gif(4), that worked,
> > but only after some fighting with mtu settings on all hosts on my home
> > net via rad.  Performance was kinda bad. So I'm looking for an
> > alternative. I thougt: IPSEC should be able to do this.
> >
> > I have a flow from my locally created IPv6 net to any and vice versa.
> > THe flow itself works.
> >
> > There I ran into the trouble that you cannot specify a default
> > gateway, since my remote gw (the host in colo) it is not reachable
> > according to route(8).
> >
> > How does one solve the default route problem?  I never really
> > understood how routing works in the presense of IPSEC flows.
>
> Can you elaborate on what gif and slow meant? Also, you should be able to use gif with whatever MTU you want, even 1500 on the gif interface and fragments over the internet. You could also try gre, but I doubt it would be different to gif in terms of performance and support for MTU/fragmentation.
>
> If you want ipsec and routes, you would still use tunnel and get IPsec to protect it. Or you could trick someone into making something like Cisco's vti a thing in OpenBSD.
>
> dlg

gif tunnel:

ifconfig gif0 inet6 2a02:898:216:3::2 2a02:898:216:3::1 prefixlen 128

and viceversa on th eother end.

So gif tunnel with default options. With that it showed an an mtu of
1280 in ifconfig so I assumed that would be the max. I have a
200 Mb/s cable connection. Downloading IPv4 I reach that. With IPV6
often it would be 10% of that. Plus it would only work reliably if the
hosts in my net use an mtu of 1280 (manually or via rad).

I now have a ipsec tunnel and that does 55 Mb/s (APU2 on both
ends) without any need for config on the hosts in my local net.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: ipv6 via ipsec tunnel

David Gwynne-5


> On 15 Mar 2019, at 16:37, Otto Moerbeek <[hidden email]> wrote:
>
> On Fri, Mar 15, 2019 at 04:15:55PM +1000, David Gwynne wrote:
>
>>
>>
>>> On 14 Mar 2019, at 19:36, Otto Moerbeek <[hidden email]> wrote:
>>>
>>> Hi,
>>>
>>> So i have a little IPv6 problem.
>>>
>>> I have a machine in colocation that has IPv6. I have my home cable
>>> modem connection that does not have it.
>>>
>>> So I thought: I make my own tunnel. First I tried gif(4), that worked,
>>> but only after some fighting with mtu settings on all hosts on my home
>>> net via rad.  Performance was kinda bad. So I'm looking for an
>>> alternative. I thougt: IPSEC should be able to do this.
>>>
>>> I have a flow from my locally created IPv6 net to any and vice versa.
>>> THe flow itself works.
>>>
>>> There I ran into the trouble that you cannot specify a default
>>> gateway, since my remote gw (the host in colo) it is not reachable
>>> according to route(8).
>>>
>>> How does one solve the default route problem?  I never really
>>> understood how routing works in the presense of IPSEC flows.
>>
>> Can you elaborate on what gif and slow meant? Also, you should be able to use gif with whatever MTU you want, even 1500 on the gif interface and fragments over the internet. You could also try gre, but I doubt it would be different to gif in terms of performance and support for MTU/fragmentation.
>>
>> If you want ipsec and routes, you would still use tunnel and get IPsec to protect it. Or you could trick someone into making something like Cisco's vti a thing in OpenBSD.
>>
>> dlg
>
> gif tunnel:
>
> ifconfig gif0 inet6 2a02:898:216:3::2 2a02:898:216:3::1 prefixlen 128
>
> and viceversa on th eother end.
>
> So gif tunnel with default options. With that it showed an an mtu of
> 1280 in ifconfig so I assumed that would be the max. I have a
> 200 Mb/s cable connection. Downloading IPv4 I reach that. With IPV6
> often it would be 10% of that. Plus it would only work reliably if the
> hosts in my net use an mtu of 1280 (manually or via rad).

I wonder why PMTUD isn't working in this situation.

> I now have a ipsec tunnel and that does 55 Mb/s (APU2 on both
> ends) without any need for config on the hosts in my local net.

Did you have to clamp your internal MTU for that to work too?

dlg

Reply | Threaded
Open this post in threaded view
|

Re: ipv6 via ipsec tunnel

Otto Moerbeek
On Fri, Mar 15, 2019 at 04:44:52PM +1000, David Gwynne wrote:

>
>
> > On 15 Mar 2019, at 16:37, Otto Moerbeek <[hidden email]> wrote:
> >
> > On Fri, Mar 15, 2019 at 04:15:55PM +1000, David Gwynne wrote:
> >
> >>
> >>
> >>> On 14 Mar 2019, at 19:36, Otto Moerbeek <[hidden email]> wrote:
> >>>
> >>> Hi,
> >>>
> >>> So i have a little IPv6 problem.
> >>>
> >>> I have a machine in colocation that has IPv6. I have my home cable
> >>> modem connection that does not have it.
> >>>
> >>> So I thought: I make my own tunnel. First I tried gif(4), that worked,
> >>> but only after some fighting with mtu settings on all hosts on my home
> >>> net via rad.  Performance was kinda bad. So I'm looking for an
> >>> alternative. I thougt: IPSEC should be able to do this.
> >>>
> >>> I have a flow from my locally created IPv6 net to any and vice versa.
> >>> THe flow itself works.
> >>>
> >>> There I ran into the trouble that you cannot specify a default
> >>> gateway, since my remote gw (the host in colo) it is not reachable
> >>> according to route(8).
> >>>
> >>> How does one solve the default route problem?  I never really
> >>> understood how routing works in the presense of IPSEC flows.
> >>
> >> Can you elaborate on what gif and slow meant? Also, you should be able to use gif with whatever MTU you want, even 1500 on the gif interface and fragments over the internet. You could also try gre, but I doubt it would be different to gif in terms of performance and support for MTU/fragmentation.
> >>
> >> If you want ipsec and routes, you would still use tunnel and get IPsec to protect it. Or you could trick someone into making something like Cisco's vti a thing in OpenBSD.
> >>
> >> dlg
> >
> > gif tunnel:
> >
> > ifconfig gif0 inet6 2a02:898:216:3::2 2a02:898:216:3::1 prefixlen 128
> >
> > and viceversa on th eother end.
> >
> > So gif tunnel with default options. With that it showed an an mtu of
> > 1280 in ifconfig so I assumed that would be the max. I have a
> > 200 Mb/s cable connection. Downloading IPv4 I reach that. With IPV6
> > often it would be 10% of that. Plus it would only work reliably if the
> > hosts in my net use an mtu of 1280 (manually or via rad).
>
> I wonder why PMTUD isn't working in this situation.
>
> > I now have a ipsec tunnel and that does 55 Mb/s (APU2 on both
> > ends) without any need for config on the hosts in my local net.
>
> Did you have to clamp your internal MTU for that to work too?

Nope, like I said nothing special. I run rand without any options on
the gw and just inet6 autoconf on the hosts.

>
> dlg

Reply | Threaded
Open this post in threaded view
|

Re: ipv6 via ipsec tunnel

Otto Moerbeek
On Fri, Mar 15, 2019 at 07:48:55AM +0100, Otto Moerbeek wrote:

> On Fri, Mar 15, 2019 at 04:44:52PM +1000, David Gwynne wrote:
>
> >
> >
> > > On 15 Mar 2019, at 16:37, Otto Moerbeek <[hidden email]> wrote:
> > >
> > > On Fri, Mar 15, 2019 at 04:15:55PM +1000, David Gwynne wrote:
> > >
> > >>
> > >>
> > >>> On 14 Mar 2019, at 19:36, Otto Moerbeek <[hidden email]> wrote:
> > >>>
> > >>> Hi,
> > >>>
> > >>> So i have a little IPv6 problem.
> > >>>
> > >>> I have a machine in colocation that has IPv6. I have my home cable
> > >>> modem connection that does not have it.
> > >>>
> > >>> So I thought: I make my own tunnel. First I tried gif(4), that worked,
> > >>> but only after some fighting with mtu settings on all hosts on my home
> > >>> net via rad.  Performance was kinda bad. So I'm looking for an
> > >>> alternative. I thougt: IPSEC should be able to do this.
> > >>>
> > >>> I have a flow from my locally created IPv6 net to any and vice versa.
> > >>> THe flow itself works.
> > >>>
> > >>> There I ran into the trouble that you cannot specify a default
> > >>> gateway, since my remote gw (the host in colo) it is not reachable
> > >>> according to route(8).
> > >>>
> > >>> How does one solve the default route problem?  I never really
> > >>> understood how routing works in the presense of IPSEC flows.
> > >>
> > >> Can you elaborate on what gif and slow meant? Also, you should be able to use gif with whatever MTU you want, even 1500 on the gif interface and fragments over the internet. You could also try gre, but I doubt it would be different to gif in terms of performance and support for MTU/fragmentation.
> > >>
> > >> If you want ipsec and routes, you would still use tunnel and get IPsec to protect it. Or you could trick someone into making something like Cisco's vti a thing in OpenBSD.
> > >>
> > >> dlg
> > >
> > > gif tunnel:
> > >
> > > ifconfig gif0 inet6 2a02:898:216:3::2 2a02:898:216:3::1 prefixlen 128
> > >
> > > and viceversa on th eother end.
> > >
> > > So gif tunnel with default options. With that it showed an an mtu of
> > > 1280 in ifconfig so I assumed that would be the max. I have a
> > > 200 Mb/s cable connection. Downloading IPv4 I reach that. With IPV6
> > > often it would be 10% of that. Plus it would only work reliably if the
> > > hosts in my net use an mtu of 1280 (manually or via rad).
> >
> > I wonder why PMTUD isn't working in this situation.
> >
> > > I now have a ipsec tunnel and that does 55 Mb/s (APU2 on both
> > > ends) without any need for config on the hosts in my local net.
> >
> > Did you have to clamp your internal MTU for that to work too?
>
> Nope, like I said nothing special. I run rand without any options on

Make that rad(8)

> the gw and just inet6 autoconf on the hosts.
>
> >
> > dlg
>