Here is the log of racoon not working… Sep 13 09:00:29 racoon: [VPN1]: [205.xx.xx.115] ERROR: can't start the quick mode, there is no ISAKMP-SA, a5ae34896d5cf232:2e28fa92fa0948f8:000086d1 Sep 13 09:00:16 racoon: ERROR: failed to start post getspi. Sep 13 09:00:16 racoon: ERROR: encryption 7 failed. Sep 13 09:00:16 racoon: ERROR: OpenSSL function failed Sep 13 09:00:16 racoon: [VPN2]: INFO: initiate new phase 2 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500] Sep 13 09:00:16 racoon: [VPN2]: INFO: ISAKMP-SA established 24.xx.xx.7[500]-24.xx.xx.69[500] spi:ab349cae70c29beb:47be8288014e0c1b Sep 13 09:00:16 racoon: ERROR: encryption 7 failed. Sep 13 09:00:16 racoon: ERROR: OpenSSL function failed Sep 13 09:00:16 racoon: [VPN2]: [24.xx.xx.69] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Sep 13 09:00:15 racoon: INFO: begin Aggressive mode. Sep 13 09:00:15 racoon: [VPN2]: INFO: initiate new phase 1 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500] Sep 13 09:00:15 racoon: [VPN2]: INFO: IPsec-SA request for 24.xx.xx.69 queued due to no phase1 found. Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.69.7.0/24[0] 10.77.2.0/24[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.69.7.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.9.143.0/24[0] 10.77.2.0/24[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.9.143.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.77.2.0/24[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.0.0.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 2001:470:xx:dcb::/64[0] 2001:470:xx:dcb::1/128[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 2001:470:xx:dcb::1/128[0] 2001:470:xx:dcb::/64[0] proto=any dir=out Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.77.2.1/32[0] proto=any dir=in Sep 13 09:00:12 racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.1/32[0] 10.77.2.0/24[0] proto=any dir=out Sep 13 09:00:12 racoon: INFO: unsupported PF_KEY message REGISTER Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[500] used as isakmp port (fd=15) Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[500] used for NAT-T Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[4500] used as isakmp port (fd=14) Sep 13 09:00:12 racoon: [Self]: INFO: 24.xx.xx.7[4500] used for NAT-T Sep 13 09:00:12 racoon: INFO: Reading configuration from "/var/etc/racoon.conf" Sep 13 09:00:12 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) Sep 13 09:00:12 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Sep 13 09:00:06 racoon: INFO: racoon process 25694 shutdown Sep 13 09:00:06 racoon: ERROR: encryption 7 failed. Sep 13 09:00:06 racoon: ERROR: OpenSSL function failed Sep 13 09:00:06 racoon: INFO: caught signal 15 Sep 13 09:00:04 racoon: ERROR: failed to start post getspi. Sep 13 09:00:04 racoon: ERROR: encryption 7 failed. Sep 13 09:00:04 racoon: ERROR: OpenSSL function failed Sep 13 09:00:04 racoon: [VPN2]: INFO: initiate new phase 2 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500] Here is the result of ps # ps -A|grep racoon 28441  ??  Ss    0:00.02 /usr/local/sbin/racoon -f /var/etc/racoon.conf 29993  0  R+    0:00.00 grep racoon When I use the exact same command from a ssh shell it works.

@johnpoz: isn't all traffic that is blocked by the default rule logged?  So it must be allowing multicast on ipv4?  But not on ipv6 link-local addresses? exactly. Your LAN rules aren't permitting your link local sourced traffic, where with v4 they're sourced from a LAN IP which is permitted. Granted it's not forwarding that multicast traffic, but it's not blocking it either with v4.

Thank you, this worked. If anyone wants to upgrade to IPv6 & is having problems due to freebsd ftp servers not serving git correctly. Go here, http://www.freebsd.org/doc/handbook/mirrors-ftp.html I used Primary mirror sites. Find a link to git. Pathname should be similar to the denied pathname that it was unable to find on main freebsd server. Do sudo su, then run pkg_add -r <url to="" git.tbz="">. Installed it for me, then it worked.</url>

Yeee, the method I mentioned before can work perfectly. :-) However, it seems Captive Portal cannot save most configuration. Why? I think I should open a new thread on this.

Hey wagonza, thanks for the reply! I'm won't have the time today to futz around with it, but will tomorrow… and iirc, I used to have all that info plugged in to the DHCP server config page but then pulled it out for some reason or another. I'll replace it all tomorrow and post back, but that makes total sense, thanks again man!

added validation to only pick up on ipv6 nameservers.

@kionez: Where I'm wrong? I've installed from a wrong source? I've just missed a step! Updated to "2.1-DEVELOPMENT (i386) built on Mon Sep 5 04:07:51 EDT 2011" via Auto Update, then gitsync and now /sbin/route seems working fine. If i remove the default route for inet6, then "change" it ,route gives "No such process" error, but then the new default is set! thanks k.

Ok, I've edited the original fbegin.inc with the necessary layout changes to make it work with the widescreen package. I've uploaded a copy here and I found a thread discussing a similar issue in the packages forum where I've also uploaded it. Edit: Sorry, the version of fbegin.inc I had didn't have the DHCPv6 Relay link in the Services menu. I've reuploaded the new version. fbegin.inc.txt

Thanks!!!  ;D I'm back up and running.

Hmm. Tried again today to go from my working snap 08/05 to the latest… IPv6 connection wasn't working and also WLAN was broken...the SSID showed up but my iPhone didn't get an ip address assigned... Well back to my good ole snap then ;-)

that one should be fixed right about now, was introduced when I added link local gateways support (which is completely valid). The gogo client is not supported yet. It's on the todo list for dynamic tunnels. Jim added a HE.net dyndns type that will fixup the tunnel IP for you if you change WAN address. The Sixxs tunnel obviously can't do that. The gogo client is a nice way to completely autoconfigure the entire machine, but that doesn't fit well with the rest of the pfSense mechanics.

Thanks to CMB, i found my problem. I had an old dhcp config for this interface. I had to delete it manualy from the XML config, then restore it. Now working flawlessly :)

Well, normall filterdns does that, but some other parts of the system might use host instead. Filterdns definitely used for the aliases and firewall rules though. But resolving from the firewall is not the issues that others are seeing, with dig or otherwise.

Okay, thanks.  I gave it a try using managed, just so dns would work right.  So far, so good - I pass the test-ipv6 site :)  Great work on this!

If you save the alias and then edit it should work. Known issue that needs a javascript person to look at.

It's already fixed in git, a sync should just pick it up.

Haha jeeepii it's working You can't have a route for ipv4 and ipv6. So only one for IPv6 tnx for the help

IPv4 is fine. Just tested.

I have no access to those either. So that's a bit hard. 6rd is a rather specific type of rollout which I don't think will be widely supported in the feature. Free.fr does have a huge deployment but needs to renumber before they actually give clients native Ipv6. I sent a message to the support list detailing that you can now configure DHCP6 on your WAN interface of choice, either dynamic, static or pppoe. It should basically work. I tested on a lab setup with a Cisco 1811 PPPoE server with DHCP6 Server, similar to what Comcast uses for their native deployments.