LAN->IPSec Routing Prob: IPSec IPv6 w. several public IPv6 Addressranges
-
Hi,
I got an IPv6 IPsec Routing Problem, which I don't know how to solve.
The Setup:
I got myself a /48 IPv6 Subnet in a datacenter, routet on a server with inux dummfug 4.7.0-0.bpo.1-686-pae #1 SMP Debian 4.7.2-1~bpo8+1 (2016-09-07) i686 GNU/Linux and Strongswan 5.5.0.
I set up Strongswan to make a IPSec Connecction with my pfsense Box, which is 2.3.2-RELEASE-p1 since yesterday.
The Phase1 and Phase2 Connections work flawlessly. pfsense initiates a connection, and I got the a left-right Network to ::0/0 Network and 2a00:128:a0a:1000::/56 ad vice a versa.
On my Interface "Experimental" aka bge0_vlan40 I set up an IPv6 Address like 2a00:128:a0a:1000::222.
In the "EXPERIMENTAL" Network, everything works fine:
ping6 -I bge0_vlan40 www.google.com PING6(56=40+8+8 bytes) 2a00:128:a0a:1000::222 --> 2a00:1450:4001:819::2004 16 bytes from 2a00:1450:4001:819::2004, icmp_seq=0 hlim=57 time=41.909 ms 16 bytes from 2a00:1450:4001:819::2004, icmp_seq=1 hlim=57 time=41.843 ms 16 bytes from 2a00:1450:4001:819::2004, icmp_seq=2 hlim=57 time=41.406 ms 16 bytes from 2a00:1450:4001:819::2004, icmp_seq=3 hlim=57 time=41.681 ms 16 bytes from 2a00:1450:4001:819::2004, icmp_seq=4 hlim=57 time=41.604 ms ^C --- www.google.com ping6 statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 41.406/41.689/41.909/0.179 ms
I have also connected several other Hosts on the LAN Site of the "EXperimental"-IPsec'ed-Network the and every host gets an IPv6 Address and connectes to my IPSec IPv6 Network in my Datacenter. External Access (from any other IPv6 Network in the world which is NOT another interface of my pfsense Box :-)) to those Nodes works flawlessly as well - so IPsec and the routing from external to "internal" IPsec Adresses works very well.
BUT one (big) issue remains:
If I try to connect from my second IPv6 Network (Hurricane Electrics) which is also terminating on the pfsense box, I absolutely fail to set up the correct routing.
Here is my pfsense Network Conifg - slightly anonymized:
WAN (wan) -> pppoe0 -> v4/PPPoE: 217.222.22.22/32 v6/6to4: 2003:49ee:330e::/16 LAN (lan) -> bge0_vlan10 -> v4: 192.168.64.254/24 v6: 2003:a70:ab0:babe::254/64 DMZ (opt1) -> bge0_vlan20 -> v4: 192.168.65.254/24 v6: 2003:a70:ab0:face::254/64 VDSLNEIGHBOR (opt2) -> bge0_vlan30 -> v4: 192.168.49.250/24 v6/DHCP6: 2003:c0:deec:cee0:ee:1eff:fe2e:6011/64 VDSLMODEM (opt3) -> re0 -> v4: 192.168.100.254/24 HURRICANEELECTICS (opt4) -> gif0 -> v6: 2001:111:2222:333::2/128 EXPERIMENTAL (opt5) -> bge0_vlan40 -> v4: 192.168.6.2/24 v6: 2a00:128:a0a:1000::222/56 LTEBACKUP (opt6) -> bge0_vlan60 -> v4: 192.168.16.19/24
So when I try to make any connection from 2003:a70:ab0:babe::254/64 or 2003:a70:ab0:face::254/64 it is not correctly routet to the "EXPERIMENTAL" IPv6 Subnet
When I ping6 the 2a00:128:a0a:1000::222 host from LAN or DMZ that is what tcpdump shows on bge0_vlan40 on pfsense: -NOTHING-
tcpdump -nnfi bge0_vlan40 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bge0_vlan40, link-type EN10MB (Ethernet), capture size 65535 bytes 09:15:21.957898 IP6 fe80::210:18ff:fe2e:6011 > ff02::1: ICMP6, router advertisement, length 200 09:15:27.631295 IP6 fe80::92f6:52ff:fec3:9cdc > ff02::1: HBH ICMP6, multicast listener querymax resp delay: 10000 addr: ::, length 24 09:15:31.012555 IP6 fe80::ea40:f2ff:fe05:ef24 > ff02::1:ff05:ef24: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:ff05:ef24, length 24 09:15:31.227803 IP6 fe80::210:18ff:fe2e:6011 > ff02::1:ff2e:6011: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:ff2e:6011, length 24 09:15:32.427828 IP6 fe80::210:18ff:fe2e:6011 > ff02::2:8329:8440: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::2:8329:8440, length 24 ^C 5 packets captured 5 packets received by filter 0 packets dropped by kernel
But it arrives correctly only on bge0_vlan10 (LAN VLAN):
tcpdump -nnfi bge0_vlan10 host 2003:a70:ab0:babe::111 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bge0_vlan10, link-type EN10MB (Ethernet), capture size 65535 bytes 09:17:04.627761 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 11, length 64 09:17:05.635819 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 12, length 64 09:17:06.643770 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 13, length 64 09:17:07.643745 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 14, length 64 09:17:08.281501 IP6 2003:a70:ab0:babe::111.35200 > 2a00:1450:400c:c06::bc.5228: Flags [.], ack 3318031473, win 1093, options [nop,nop,TS val 13131136 ecr 164818157], length 0 09:17:08.323299 IP6 2a00:1450:400c:c06::bc.5228 > 2003:a70:ab0:babe::111.35200: Flags [.], ack 1, win 371, options [nop,nop,TS val 164863213 ecr 13097322], length 0 09:17:08.651750 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 15, length 64 09:17:09.659645 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 16, length 64 ^C 8 packets captured 71 packets received by filter 0 packets dropped by kernel
There is also absolutely no firewall rule which prevents that - though ICMPv6 is globally allowed as well, I double or triple checked the blocked entries in the log and disabled the firewall
completely (also by an any <-> any rule)It is not blocked:
LAN ipv6-icmp 2003:a70:ab0:babe::111[6681] -> 2a00:128:a0a:1000::222[6681] NO_TRAFFIC:NO_TRAFFIC 44 / 0 4 KiB / 0 B
First I assumed because I wanted to route all traffic of the Subnet to the IPSec tunnel the ::0/0 routing would be problematic.
But, even if that is the reason, tcpdump should show incoming icmp requests on the "Experimental" Interface bge0_vlan40 - but it does not.On Linux Strongswan creates an iptable 220 where the ipsec routing is maintained. Does FreeBSD's Strongwan does something like this, too? Or maybe is the ipsec routing not
really maintainable on the pfsense gui and done more or less automatically in the background?Would be really nice if someone could explain what pfsense/FreeBSD is doing there, or/and where my thinking error is.
Thanks a lot in advance!
Cheers,
4920441