New Member
Posts: 2
Registered: ‎02-14-2018

IPSEC VTI over ipv6 | Local-address ipv6 not used

Hi,

 

As a new user of ubnt products, i'm trying to set up a IPSEC VPN over IPv6 using VTI. My ipsec paquet will carry ipv4 unicast paquets.

If have followed some tutorials on KB, but none works with ipv6. All configuration commit reject "local-address" line. Do you have any hint regarding this issue ?

 

Please find below my vpn setup:

 

 

vpn {
     ipsec {
         auto-firewall-nat-exclude enable
         esp-group FOO0 {
             lifetime 3600
             pfs enable
             proposal 1 {
                 encryption aes128
                 hash sha1
             }
         }
         ike-group FOO0 {
             dead-peer-detection {
                 action restart
                 interval 15
                 timeout 30
             }
             key-exchange ikev1
             lifetime 28800
             proposal 1 {
                 dh-group 2
                 encryption aes128
                 hash sha1
             }
         }
+        site-to-site {
+            peer 2a06:8bc0:XXX:XXXX:: {
+                authentication {
+                    mode pre-shared-secret
+                    pre-shared-secret XXXXXXXXX
+                }
+                connection-type initiate
+                description TEST
+                ike-group FOO0
+                local-address 2a01:e35:2e10:a3d0:f29f:c2ff:fe11:d8b0
+                vti {
+                    bind vti0
+                    esp-group FOO0
+                }
+            }
+        }
     }

 

When i commit, i have following messages:

 

 

Error: an IP address is expected rather than "2a01:e35:2e10:a3d0:f29f:c2ff:fe11:d8b0"
Cannot find device "vti0"
Cannot find device "vti0"
Cannot find device "vti0"
sysctl: cannot stat /proc/sys/net/ipv4/conf/vti0/disable_policy: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv4/conf/vti0/disable_xfrm: No such file or directory

 

Thanks.

Ubiquiti Employee
Posts: 2,919
Registered: ‎05-08-2017
Kudos: 521
Solutions: 416

Re: IPSEC VTI over ipv6 | Local-address ipv6 not used

Currently, the VTI interfaces only support IPv4 addressing, which means you can only use VTI tunnels with IPv4 site-to-site VPNs. If you want to tunnel IPv4 traffic over IPv6, then it is possible to use either SIT or GRE tunnels.


Ben

 


 

Ben Pin | Ubiquiti Support

Highlighted
New Member
Posts: 2
Registered: ‎02-14-2018

Re: IPSEC VTI over ipv6 | Local-address ipv6 not used

Ok so only gre tunnels will be accepted.
After some check on Linux kernels, vti6 module exist on kernels but not supported on ubnt.

Gre tunnels can be offloaded ?
And nat on gre tunnel can be offloaded ?
I will make some ipv6/gre/NAT performance test.

Thanks.