IPv6 GRE with IPSec

totaluser · 08-13-2013, 01:25 PM

Hello everybody,
I want to interconnect two networks across IPv6-only network (the Internet)
unfortunately on one side I only have IPv6 address available as there was no public IPv4 address to allocate

so far I am running IPv4 inside IPv6 tunnel (using 2nd half of this tutorial http://linux-hacks.blogspot.sk/2008/...-ip4-ipv6.html)
I compiled ip6_tunnel.ko module for my kernel and it runs fine

one side is a Cisco router and another one Linux device (raspberry pi)

this configuration works fine for me but I was hoping to something more secure as now I am passing all traffic in cleartext with IPv6 outer header and IPv4 inner header

so my plan was to run GRE encapsulation inside IPv6 tunnel and then turn IPSec protection

I was searching the web and IPv6 GRE seems to be rather new feature, available from kernel 3.7.x and newer
so I upgraded to 3.9.11, compiled ip6_gre module that I was able to load but unfortunately there seems to be no userspace tool that could benefit from it and configure it

Code:

[   14.224099] ip6_gre: GRE over IPv6 tunneling driver

Code:

ip6gre0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          UP RUNNING NOARP  MTU:1448  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

I even tried to compile iproute2 (version iproute2-3.10.0) from sources
but it looks like IPv6 GRE is not yet supported

Code:

pi@raspberrypi:~/www/iproute2-3.10.0/ip$ ./ip -V
ip utility, iproute2-ss130716
pi@raspberrypi:~/www/iproute2-3.10.0/ip$ ./ip -6 tunnel help
Usage: ip -f inet6 tunnel { add | change | del | show } [ NAME ]
          [ mode { ip6ip6 | ipip6 | any } ]
          [ remote ADDR local ADDR ] [ dev PHYS_DEV ]
          [ encaplimit ELIM ]
          [ hoplimit TTL ] [ tclass TCLASS ] [ flowlabel FLOWLABEL ]
          [ dscp inherit ]

Where: NAME      := STRING
       ADDR      := IPV6_ADDRESS
       ELIM      := { none | 0..255 }(default=4)
       TTL       := 0..255 (default=64)
       TCLASS    := { 0x0..0xff | inherit }
       FLOWLABEL := { 0x0..0xfffff | inherit }

what do I need to configure IPv6 GRE encapsulation on a Linux device?

Ser Olmy · 08-13-2013, 02:40 PM

Can't you just configure IPsec in Transport Mode between the two endpoints? That will encrypt all traffic, regardless of tunnel technology. Or is there another reason you need to use GRE?

totaluser · 08-13-2013, 04:05 PM

well not necessarily
what you are suggesting will very likely work for me OK

since I wanted to learn something new I wanted to use IPv6 GRE and then simple tunnel protection on Cisco side instead of a bit more complex crypto-map

it does not need to be done ASAP and I have devices to play with
can IPv6 GRE be done in linux right now or is it still a bit immature these days (seeing patches committed 10-15 days ago

when googling for IPv6 GRE)

Ser Olmy · 08-13-2013, 04:11 PM

I've never tried the IPv6 GRE module myself, because as you say, it's pretty recent. If you decide to try it, by all means report back your findings.

And keep in mind that those who live on the cutting edge, tends to bleed a lot.