IPv6_IPSEC + IPv4_with_IPv6phase2tunnels_IPSec status and does it work ?
-
I just checked an unmodified setting of the IPv6 tunnel and both phase1 proto = IPv6 and phase2 = TunnelIPv6 and Local = LAN Subnet, Remote = Network + IPv6 address /64
but still got the problem shown above in previous mail.//Dan
Jimp:
UPDATE: Have now tested "built on Fri Feb 8 05:38:00 EST 2013" but the Connect button is still
"http://192.168.120.20/diag_ipsec.php?act=connect&remoteid=2001:470:28:xxx::&source=192.168.120.20"And also I am now still not able to get the IPSec v6 again. It is broken. It broke in any of the latest builds.
Still seeing these kinds of problems:
Feb 8 21:06:27 pfsense racoon: DEBUG: getsainfo params: loc='2001:470:28:dd5::/64' rmt='2001:470:28:54c::/64' peer='2001:470:27:54c::2' client='2001:470:27:54c::2' id=2
Feb 8 21:06:27 pfsense racoon: DEBUG: evaluating sainfo: loc='192.168.120.0/24', rmt='2001:470:28:54c::/64', peer='ANY', id=2
Feb 8 21:06:27 pfsense racoon: DEBUG: check and compare ids : id type mismatch IPv4_subnet != IPv6_subnet
Feb 8 21:06:27 pfsense racoon: ERROR: failed to get sainfo.
Feb 8 21:06:27 pfsense racoon: ERROR: failed to get sainfo.
Feb 8 21:06:27 pfsense racoon: [2001:470:27:54c::2] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Feb 8 21:06:27 pfsense racoon: DEBUG: IV freedI have tested to toggle the value in the setting to get it to work but same result.
I have also tried to wipe the whole IPSec_v6 tunnel incl. phase1 and 2 and completly rebuilt from scratch but same result.
//Dan
-
Can you send me your ipsec part of config xml including interface config?
Through PM or email whichever you prefer. -
Check the PM i sent.
//Dan
-
I have no PM sure you sent to me?
-
blush I have talked to jimp throughout this thread and forgot to check the sender in the last post.
I sent it to him. sorry for that. I will forward it to you as well. Speak to jimp as well to get som
more details on what we have been talking about. Have sent a few mails outside the thread as PM.You will get the config in a minute…
The IPSec v6 was working fine until I installed the 7 March build. (the from state was a few days earlier)
//Danne
UPDATE: A small typo in the comments for IPSec v6 phase2. Forgot to change from phase1 to phase 2 after copy/paste. (in mail sent a PM)
-
I have checked and it could be even worse than I expected.
I have started to see generic problem with IPv6 in general where I could see incoming IPv6 ICMP echo requests
(that I triggered) but no echo reply even if I have full ICMPv6 enabled from ALL on the Tunnelbroker interface.This IPv6 interface has been working for a long time.
And this has also started in the last few days builds.
I will revert to an old build to see if the problems disapears just to confirm problem in the builds.
I will keep you posted on the result.//Dan
UPDATE: A small hint could be that there is something strange with routing.
I tried to do a ping (from internet) to a machine inside my LAN that is accepted and tried to ping it and get the following: (replace part of my IP with "xxx")Wireshark from the inside machine.
Time Source Destination Dest Port Dest port Protocol Length Info New Column
0.000000000 2a02:348:82:cb69::1 2001:470:28:xxx:f66d:4ff:fe06:3ba8 ICMPv6 94 Echo (ping) request id=0x350b, seq=0 1
0.000177000 2001:470:28:xxx:f66d:4ff:fe06:3ba8 2a02:348:82:cb69::1 ICMPv6 94 Echo (ping) reply id=0x350b, seq=0 2
0.000286000 2001:470:28:xxx::1 2001:470:28:xxx:f66d:4ff:fe06:3ba8 ICMPv6 142 Destination Unreachable (no route to destination) 32001:470:28:xxx::1 = the LAN interface IP-address.
As you could see there is something strange going on.
Connections initiated from the pfSense directly is working OK but all secondary replies is not.
I have checked the Routing table **and it is now missing the "default 2001:470:27:xxx::1" entry. **
I went into the routing and uncheck the "Default Gateway" entry for the IPv6 entry and pressed apply.
And then in again and checked it again. + apply. But still no "default" entry for the IPv6 table… -
For the default gateway missing issue, You should do a gitsync or wait for a newer snapshot, see here: http://forum.pfsense.org/index.php/topic,58731.msg315026.html#msg315026
Hopefully, the next snap is on its way - there are a few people updated to the Feb 9 snaps which have this default gateway issue, and it would be good to stop any more from doing it. Perhaps this is another moment to pull the latest snaps off the server. -
Regarding the default route issue, I have included the fix manually in the system.inc so that is working OK now.
BUT, there is still problem with IPv6 IPSec that is still not working.As reported earlier I see this in the DEBUG racoon log.
Replaced some of the IP with "xxx" and "yyy" to protect my and my friends IP. (xxx is local and yyy is remote host)Feb 10 19:44:47 racoon: [*** KUNGSGATAN VPN IPv6]: [2001:470:27:yyy::2] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Feb 10 19:44:47 racoon: ERROR: failed to get sainfo.
Feb 10 19:44:47 racoon: ERROR: failed to get sainfo.
Feb 10 19:44:47 racoon: DEBUG: check and compare ids : id type mismatch IPv4_subnet != IPv6_subnet
Feb 10 19:44:47 racoon: DEBUG: evaluating sainfo: loc='192.168.120.0/24', rmt='2001:470:28:yyy::/64', peer='ANY', id=2
Feb 10 19:44:47 racoon: DEBUG: getsainfo params: loc='2001:470:28:xxx::/64' rmt='2001:470:28:yyy::/64' peer='2001:470:27:yyy::2' client='2001:470:27:yyy::2' id=2The settings has not changed since it worked in earlier build a few days ago.
I have sent this info to "ermal" as well yesterday.
It looks like it is confusing and picking an IPv4 net insted of the IPv6 equivalent when using "LAN subnet" in the phase2 entry.
I have checked and the phase2 = "Tunnel IPv6".To verify, I changed the setting from "LAN Subnet" into "Network" and entered the net manually
and now the tunnel is up working OK so it is for sure a bug in handling the interfaces where it gets
the wrong type. (ipv4 instead of ipv6)/Dan
-
I pushed fixes specifically for this.
Can you gitsync and retry? -
Don't have access to gitsync but I have now installed the "2.1-BETA1 (i386) built on Sun Feb 10 22:04:57 EST 2013".
And still get the:
"Feb 11 11:34:27 pfsense racoon: DEBUG: getsainfo params: loc='192.168.120.0/24' rmt='2001:470:28:54c::/64' peer='NULL' client='NULL' id=2"
and link does not come up.I will wait and update to tomorrows build to see if the fixes is in then before I could confirm if it works or not.
(Now changed back to "Network" and entered the net manually and then the link came up without problem)I am also seeing a weird problem that I previously reported regarding the "Connect VPN" button that had wrong "source=…" when used with IPv6.
It was suppose to have been fixed and some checkins has been done.The strange part is that sometimes it shows an "source=<ipv6address>" but sometimes it shows an "source=<ipv4address>".
And nothing had changed between when it shows IPv6 or IPv4. (it's an all IPv6 phase1 and 2 IPSec using tunnel6)//Danne</ipv4address></ipv6address>
-
Yeah i should have fixed that as well.
You can copy /etc/inc/vpn.inc and /etc/inc/ipsec.inc to your box if you just need to test and /usr/local/www/diag_ipsec.php for testing locally from github.
-
I have now tested to download the vpn.inc, ipsec.inc and diag_ipsec.php from github and replaced them in my pfSense.
So far it seems to have fixed both problems. I will monitor this for a while to see that it keeps stable and report back
to you if I found any remaining problems related to this. New faults will be opened in new threads for better visibility.Thanks for fixing this. This is still beta code so these kinds of things happens. :-) (check my onelineer in my profile. BEER ;-)
//Danne