|
 |
181bb5 |
# Passthrough For proper IPv6 Neighbor Discovery (RFC 4861)
|
|
|
181bb5 |
#
|
|
|
181bb5 |
# The unicast Neighbor Advertisement reply message must be sent
|
|
|
181bb5 |
# in plaintext) even if we have an IPsec SA for the destination,
|
|
|
181bb5 |
# because the other end might have crashed or rebooted and lost
|
|
|
181bb5 |
# its IPsec SA with our end. It will use IPv6 Neighbor Discovery
|
|
|
181bb5 |
# to find our end again. Without this policy hole, the neighbor
|
|
|
181bb5 |
# discovery answer packet is caught by the kernel and encrypted.
|
|
|
181bb5 |
# As a result, the rebooted end won't be able to find us and won't
|
|
|
181bb5 |
# be able to send us an IKE packet to re-establish the IPsec SA.
|
|
|
181bb5 |
#
|
|
|
181bb5 |
# While the Neighbor Solicitation is multicast and would not
|
|
|
181bb5 |
# not be caught by the IPsec stack, we use it in the configuration
|
|
|
181bb5 |
# to limit the range of ipv6-icmp covered. In a way, this would
|
|
|
181bb5 |
# only need to be an outbound SA, but SA's come in bundles, so we
|
|
|
181bb5 |
# need an unbound SA as well. Leaving protoport empty or set to
|
|
|
181bb5 |
# any ipv6-icmp would cause us to send out more unencrypted traffic,
|
|
|
181bb5 |
# which would be dropped once the IPsec SA has re-established.
|
|
|
181bb5 |
# So we set the inbound protoport to ipv6-icmp Neighbor Advertisement.
|
|
|
181bb5 |
# (solution by Jaroslav Aster)
|
|
|
181bb5 |
#
|
|
|
181bb5 |
# Configuration
|
|
|
181bb5 |
#
|
|
|
181bb5 |
# ipv6-icmp Neighbor Solicitation is Type 135, Code 0.
|
|
|
181bb5 |
# ipv6-icmp Neighbor Advertisement is Type 136, Code 0.
|
|
|
181bb5 |
# As per RFC 4301/5996, icmp type is put in the most significant 8 bits
|
|
|
181bb5 |
# and the icmp code is in the least significant 8 bits of port field.
|
|
|
181bb5 |
# proto is 58 (ipv6-icmp)
|
|
|
181bb5 |
# type = 135 (0x87) or 136 (0x88)
|
|
|
181bb5 |
# code = 0 (0x00)
|
|
|
181bb5 |
# so "port" in protoport is 0x8700 (34560) for Neighbor Solicitation.
|
|
|
181bb5 |
# so "port" in protoport is 0x8800 (34816) for Neighbor Advertisement.
|
|
|
181bb5 |
|
|
|
181bb5 |
conn v6neighbor-hole-in
|
|
|
181bb5 |
left=::1
|
|
|
181bb5 |
leftsubnet=::0/0
|
|
|
181bb5 |
leftprotoport=58/34560
|
|
|
181bb5 |
rightprotoport=58/34816
|
|
|
181bb5 |
rightsubnet=::0/0
|
|
|
181bb5 |
right=::0
|
|
|
181bb5 |
connaddrfamily=ipv6
|
|
|
181bb5 |
authby=never
|
|
|
181bb5 |
type=passthrough
|
|
|
181bb5 |
auto=route
|
|
|
181bb5 |
priority=10
|
|
|
181bb5 |
|
|
|
181bb5 |
conn v6neighbor-hole-out
|
|
|
181bb5 |
left=::1
|
|
|
181bb5 |
leftsubnet=::0/0
|
|
|
181bb5 |
leftprotoport=58/34816
|
|
|
181bb5 |
rightprotoport=58/34560
|
|
|
181bb5 |
rightsubnet=::0/0
|
|
|
181bb5 |
right=::0
|
|
|
181bb5 |
connaddrfamily=ipv6
|
|
|
181bb5 |
authby=never
|
|
|
181bb5 |
type=passthrough
|
|
|
181bb5 |
auto=route
|
|
|
181bb5 |
priority=10
|