IPv6 IPsec between two native IPv6 networks

Question

Assume I have two networks, A and B, on sites either side of the globe. Both have native IPv6 and are using (hypothetically) just IPv6. IPv4 no longer exists. They can both access the internet natively as IPv6 and use IPv6 hosts. Their IPv6 addresses are all globally routable. So, notwithstanding firewall rules, each host in network A can reach each host in network B and vice versa.

How would I set up IPSec to secure traffic between those two networks?

In an IPv4 world I would set up an IPSec tunnel between two firewalls at each site or use GRE tunnelling or similar.

But how would I do this in an all-IPv6 world? Is there something intrinsic in IPv6 that makes this easier? Ideally I want to configure this just on the firewalls/routers at each site. I don't want to have to set up transport mode IPSec on each and every host within each network.

FWIW, I use OpenBSD for my routing/firewalling/ipsec needs, so any specifics with that would be helpful, but a general answer to how IPv6 / IPSec deal with this scenario would also be good.

I've done this with sonicwalls and it works as you'd expect, add the source/destination networks to a vpn tunnel, set the source/destination IPv6 interface addresses of the WAN interfaces. Note, the VPN was configured for the Public side IPv6 address, not the Internal IPv6 address (they are not the same subnet but still globally unique addresses) — Jacob Evans, Oct 10 '16 at 14:00

score 0 · Answer 1 · answered Sep 22 '15 at 22:20

I haven't tested this but I don't see the difference between IPv4 and IPv6. The lack of private IPs may be confusing you, but otherwise it should be the same. I guess you are setting up the tunnel with racoon, so I'll skip that. The rest can be done under Linux with ipsec-tools/setkey.

From the top of my head, I guess you need two SPD entries, one inbound and one outbound. Something like this should do the job:

spdadd 2a01:1111:2222:3333::/64 2a01:1111:2222:3334::/64 any -P out ipsec
    esp/tunnel/2a01:1111:2222:1::1-2a01:1111:2222:1::2/require ;


spdadd 2a01:1111:2222:3334::/64 2a01:1111:2222:3333::/64 any -P in ipsec
    esp/tunnel/2a01:1111:2222:1::1-2a01:1111:2222:1::2/require ;

Where:

2a01:1111:2222:3333::/64 is your local net
2a01:1111:2222:3335::/64 is your remote net
2a01:1111:2222:1::1 is your local endpoint
2a01:1111:2222:1::2 is your remote endpoint

p.s. Make sure you pass -6 if you use hostnames

I have tried setting this up, using the same approach as IPv4... and yes I guess the lack of private IPs may have been throwing me. But the problem I am having is that packets are going from the source to dest without being sent through the tunnel. — Matt Hamilton, Sep 23 '15 at 21:16
I guess I don't understand what you mean by tunnel here. Is it the IPsec tunnel, or is it another (e.g. GRE) tunnel? If it's a GRE tunnel then you'll need to use the tunnel's addresses for the endpoints. Otherwise, IPsec will do the job and packets from (e.g) 2a01:1111:2222:3333::/64 will exit with an IP address of 2a01:1111:2222:1::1. If that's not the case the you should post more information about your setup. — V13, Sep 23 '15 at 21:49

score 0 · Answer 2 · answered Sep 23 '15 at 05:25

You can use exactly same technique as with IPv4. I guess OpenBSD lacks VTI/st technology in it's stack, so gre or gif would be just fine. And yes, there's one thing that makes it easier - local scope addresses on the interfaces (however, you could use just any addresses). In IPv4 world you need to assign AF_INET addresses on each end for the routing to be working, but in the IPv6 world routing works just fine using local scope addresses, including OSPF. This is a working recipe, I'm using IPv6 gre's on FreeBSd for several years.

Legacy IPSec scheme should work too, but yeah, it's way obsolete now because of the routing complications that it causes.

IPv6 IPsec between two native IPv6 networks

2 Answers2