In this IPv6 series I’d like to tell you about my “journey” to implement the protocol. I already had some knowledge of it, but not extensively. As a first step IPv6 is implemented at home. The plan is to work my way back from home to my lab in the data-center.

The previous parts describe the basics and how to implement IPv6 in my home network using a tunneling technique called 6RD. Using the 6RD tunnel, my ISP assigned a /56 IPv6 prefix, which is awesome. Lots of subnetting possibilities.

The last one talks about obtaining a prefix and thinking through a suitable IP plan. Are you going to use DHCP, SLAAC or both. Finally it gives food for thoughts on dual stack configuration of your routers and essential services like DNS, DHCP, NTP and AAA.

Let’s go to the bits.

The series

My implementation steps will be split into several parts of which this one is the fourth. Other parts in this IPv6 series are:

Probable outline of next parts (subject to change)

  • Part 6: IPv6 with Cloud Director

Background

From my house to the lab, an IPv4 based IPSec VPN was already configured. The goal is to also be able to route IPv6 traffic to the lab in a secure way. This calls for additional configuration on the Edgerouter 6P at home and on pfSense in the lab.

The config

Currently a IPSec – Phase 1 tunnel is configured between the public IPv4 addresses of the Edgerouter and pfSense appliance. A Phase 2 tunnel connects the IPv4 subnets at home and in the lab together. So what would be the next step. Could a second Phase 2 tunnel for IPv6 traffic simply be added to the existing Phase 1, or should a new IPv6 based Phase 1 + 2 be created?

Adding a IPv6 tunnel

It sounds logically to just create an additional IPv6 based Phase 2 to the existing IPv4 based Phase 1, since the IPv6 traffic is tunneled anyway. After trying, it appeared that it depends on the IPSec implementation of the device. pfSense supports adding a IPv6 based Phase 2 to the existing IPv4 based Phase 1.

pfSense IPSec Phase 1 with IPv4 and IPv6 phase 2

Mixing IPv4 and IPv6 Phase 2 tunnels within a IPv4 based Phase 1 is not supported on the Edgerouter. The error on the Edgerouter after committing a second Phase 2 tunnel to the config is:

user@edgerouter# commit
[ vpn ]
[ vpn ipsec site-to-site peer 198.51.100.2 tunnel 2 ]
VPN configuration error: IPv6 over IPv4 IPsec is not supported

Commit failed
[edit]
user@edgerouter#

Edgerouter configuration

Due to lacking support of mixed tunnels, two Phase 1 tunnels need to be configured. My advise is to configure them using the CLI. Important parameters like IKE version, connection type and local-address are simply not available in the UI. Make sure the remote side is set to respond if the Edgerouter is configured as initiator. The working configuration is:

user@edgerouter# show vpn ipsec
 auto-firewall-nat-exclude enable
 esp-group FOO0 {
     compression disable
     lifetime 1800
     mode tunnel
     pfs dh-group14
     proposal 1 {
         encryption aes256
         hash sha256
     }
 }
 ike-group FOO0 {
     key-exchange ikev2
     lifetime 3600
     proposal 1 {
         dh-group 14
         encryption aes256
         hash sha256
     }
 }
 site-to-site {
     peer 198.51.100.2 {
         authentication {
             mode pre-shared-secret
             pre-shared-secret <SomeSecret>
         }
         connection-type initiate
         description "IPSec to Lab"
         ike-group FOO0
         ikev2-reauth inherit
         local-address 198.51.100.1
         tunnel 1 {
             esp-group FOO0
             local {
                 prefix 10.1.0.0/16
             }
             remote {
                 prefix 10.2.0.0/16
             }
         }
     }
     #pfSense IPv6 WAN IP
     peer 2001:db8:0::2 {
         authentication {
             mode pre-shared-secret
             pre-shared-secret <SomeSecret>
         }
         connection-type initiate
         description "IPSec IPv6 to Lab"
         ike-group FOO0
         ikev2-reauth inherit
         #Edgerouter IPv6 WAN IP
         local-address 2001:db8:0::1
         tunnel 1 {
             esp-group FOO0
             local {
                 prefix 2001:db8:1::/56
             }
             remote {
                 prefix 2001:db8:2::/56
             }
         }
     }
 }

The Firewall

Don’t forget to add additional IPv6 based rules into the firewall alongside the IPv4 rules to allow the needed ports. When possible, do not only allow the required IPSec port and protocol, but also configure the peer IP as source. This prevents all kinds of attacks. At least allow:

  • UDP 500 (IKE / ISAKMP)
  • IP Protocol 50 (ESP)

On my Edgerouter the WAN6_Local rule looks like:

user@edgerouter# show firewall ipv6-name WAN6_LOCAL
 default-action drop
 description "WAN6 to Router"
 rule 10 {
     action accept
     description Allow-IPSec-IKE
     destination {
         address 2001:db8:0::1
         port 500
     }
     source {
         address 2001:db8:0::2
     }
     log disable
     protocol udp
 }
 rule 20 {
     action accept
     description Allow-IPSec-ESP
     destination {
         address 2001:db8:0::1
     }
     source {
         address 2001:db8:0::2
     }
     log disable
     protocol 50
 }
 rule 30 {
     action accept
     description Allow-ICMP-from-Lab
     destination {
         address 2001:db8:0::1
     }
     log disable
     protocol icmpv6
     source {
         address 2001:db8:2::/56
     }
 }
 rule 40 {
     action drop
     description "Drop invalid state"
     state {
         invalid enable
     }
 }

As a last step add the “WAN6_Local” rule to your external facing Edgerouter interface to enable IPSec traffic. In my case it’s the 6RD tunnel interface “tun0”.

user@edgerouter# set interfaces tunnel tun0 firewall
 in {
     ipv6-name WAN6_IN
 }
 local {
     ipv6-name WAN6_LOCAL
 }

Result

When combining all of the above the result is show in the overview below.

IPSec config and phases overview

To Conclude

Finally all the (basic) configuration is now done. Using the config in this and previous parts, the goal is reached to have a fully functional IPv6 environment at home and in the lab.

This paves the way to configuring and use IPv6 in NSX-T and subsequently in Cloud Director. Watch out of the next part in the series!

Cheers, Daniël

Useful links

Wikipedia: IPsec

Wikipedia: Internet Key Exchange (IKE)


0 Comments

Leave a Reply