Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 IPSec webGUI error

    Scheduled Pinned Locked Moved
    webGUI
    2
    2
    305
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andrei-z
      last edited by andrei-z

      Hi! When I try to set up an IPSec VPN with an IPv6 remote gateway, I get this error when I apply the changes:

      Notifications in this message: 1
================================

17:49:45 PHP ERROR: Type: 1, File: /usr/local/share/pear/Net/IPv6.php, Line: 684, Message: Uncaught ValueError: str_repeat(): Argument #2 ($times) must be greater than or equal to 0 in /usr/local/share/pear/Net/IPv6.php:684
Stack trace:
#0 /usr/local/share/pear/Net/IPv6.php(684): str_repeat(':0:', -1)
#1 /usr/local/share/pear/Net/IPv6.php(1157): Net_IPv6::uncompress('2a02:2f04:1:f75...')
#2 /usr/local/share/pear/Net/IPv6.php(450): Net_IPv6::_ip2Bin('2a02:2f04:1:f75...')
#3 /etc/inc/util.inc(1020): Net_IPv6::isInNetmask('2a02:2f04:1:6d5...', '2a02:2f04:1:f75...')
#4 /etc/inc/filter.inc(4579): ip_in_subnet('2a02:2f04:1:6d5...', '2a02:2f04:1:f75...')
#5 /etc/inc/filter.inc(4193): filter_generate_ipsec_rules(Array)
#6 /etc/inc/filter.inc(361): filter_rules_generate()
#7 /etc/rc.filter_configure_sync(32): filter_configure_sync()
#8 {main}
 thrown

      I'm running on a virtualized pfSense Plus 23.01-RELEASE install.
      The error appears to be related to the parsing of the given IPv6 remote gateway. Please advise.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by jimp

        The last time that came up it was because some value being passed through those functions was actually an IPv6 address and not an IPv6 subnet definition.

        It's not clear exactly which one it might be in your case since that function would read through not only all IPsec P2 entries but also mobile IPsec, but you might check the addresses you have in each of those places. If you have something defined as a subnet but you've actually defined an IP address inside the subnet instead of the subnet itself, it might hit something like that.

        For example if you are supposed to define a /64 size IPv6 subnet/prefix but you pass it x:x:x:x::1/64 that is an address, not a prefix, it should be x:x:x:x::/64. But again it depends on context.

        If you could post your IPsec section of config.xml that would help, you can remove the secret parts (PSKs, cert metadata like subjects/identifiers, etc), but please mask the addresses for privacy rather than removing them, keeping something in those places so we know the general values. Like you could replace fc80:1234:5678:9abc::1 with xxxx:xxxx:xxxx:xxxx::1

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post