IPv6 design, deployment, standards, and best practices.
Sun Mar 13, 2011 3:03 pm

IPv6 GRE with IPSec on LINUX

Wed Aug 14, 2013 1:27 pm

Hello everybody,
I want to interconnect two networks across IPv6-only network (the Internet)
unfortunately on one side I only have IPv6 address available as there was no public IPv4 address to allocate

so far I am running IPv4 inside IPv6 tunnel (using 2nd half of this tutorial http://linux-hacks.blogspot.sk/2008/02/howto-ipv6-ipv6-tunnel-and-ip4-ipv6.html)
I compiled ip6_tunnel.ko module for my kernel and it runs fine

one side is a Cisco router and another one Linux device (raspberry pi)

this configuration works fine for me but I was hoping to something more secure as now I am passing all traffic in cleartext with IPv6 outer header and IPv4 inner header

so my plan was to run GRE encapsulation inside IPv6 tunnel and then turn IPSec protection

I was searching the web and IPv6 GRE seems to be rather new feature, available from kernel 3.7.x and newer
so I upgraded to 3.9.11, compiled ip6_gre module that I was able to load but unfortunately there seems to be no userspace tool that could benefit from it and configure it
Code: Select all
[   14.224099] ip6_gre: GRE over IPv6 tunneling driver

Code: Select all
ip6gre0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          UP RUNNING NOARP  MTU:1448  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

I even tried to compile iproute2 (version iproute2-3.10.0) from sources
but it looks like IPv6 GRE is not yet supported, only ip6ip6 and ipip6

Code: Select all
pi@raspberrypi:~/www/iproute2-3.10.0/ip$ ./ip -V
ip utility, iproute2-ss130716
pi@raspberrypi:~/www/iproute2-3.10.0/ip$ ./ip -6 tunnel help
Usage: ip -f inet6 tunnel { add | change | del | show } [ NAME ]
          [ mode { ip6ip6 | ipip6 | any } ]
          [ remote ADDR local ADDR ] [ dev PHYS_DEV ]
          [ encaplimit ELIM ]
          [ hoplimit TTL ] [ tclass TCLASS ] [ flowlabel FLOWLABEL ]
          [ dscp inherit ]

Where: NAME      := STRING
       ADDR      := IPV6_ADDRESS
       ELIM      := { none | 0..255 }(default=4)
       TTL       := 0..255 (default=64)
       TCLASS    := { 0x0..0xff | inherit }
       FLOWLABEL := { 0x0..0xfffff | inherit }

what do I need to configure IPv6 GRE encapsulation on a Linux device?

basically it looks like the kernel module is loaded and creates the default interface but the user-space tools do now offer IPv6 GRE as an option

thanks in advance

Return to IPv6

Who is online

Users browsing this forum: No registered users and 17 guests