IPv6_IPSEC + IPv4_with_IPv6phase2tunnels_IPSec status and does it work ?

eri--

Can you send me your ipsec part of config xml including interface config?
Through PM or email whichever you prefer.

mrzaz

Check the PM i sent.

//Dan

eri--

I have no PM sure you sent to me?

mrzaz

blush  I have talked to jimp throughout this thread and forgot to check the sender in the last post.
I sent it to him.   sorry for that.   I will forward it to you as well.  Speak to jimp as well to get som
more details on what we have been talking about.  Have sent a few mails outside the thread as PM.

You will get the config in a minute…

The IPSec v6 was working fine until I installed the 7 March build.  (the from state was a few days earlier)

//Danne

UPDATE: A small typo in the comments for IPSec v6 phase2.  Forgot to change from phase1 to phase 2 after copy/paste. (in mail sent a PM)

mrzaz

I have checked and it could  be even worse than I expected.

I have started to see generic problem with IPv6 in general where I could see incoming IPv6 ICMP echo requests
(that I triggered) but no echo reply even if I have full ICMPv6 enabled from ALL on the Tunnelbroker interface.

This IPv6 interface has been working for a long time.

And this has also started in the last few days builds.

I will revert to an old build to see if the problems disapears just to confirm problem in the builds.
I will keep you posted on the result.

//Dan

UPDATE:  A small hint could be that there is something strange with routing.
I tried to do a ping (from internet) to a machine inside my LAN that is accepted and tried to ping it and get the following:   (replace part of my IP with "xxx")

Wireshark from the inside machine.
Time           Source                Destination           Dest Port Dest port Protocol Length Info                                                            New Column
0.000000000    2a02:348:82:cb69::1   2001:470:28:xxx:f66d:4ff:fe06:3ba8                     ICMPv6   94     Echo (ping) request id=0x350b, seq=0                            1
0.000177000    2001:470:28:xxx:f66d:4ff:fe06:3ba8 2a02:348:82:cb69::1                       ICMPv6   94     Echo (ping) reply id=0x350b, seq=0                              2
0.000286000    2001:470:28:xxx::1    2001:470:28:xxx:f66d:4ff:fe06:3ba8                     ICMPv6   142    Destination Unreachable (no route to destination)               3

2001:470:28:xxx::1 = the LAN interface IP-address.

As you could see there is something strange going on.

Connections initiated from the pfSense directly is working OK but all secondary replies is not.

I have checked the Routing table **and it is now missing the "default 2001:470:27:xxx::1" entry.  **
I went into the routing and uncheck the "Default Gateway" entry for the IPv6 entry and pressed apply.
And then in again and checked it again. + apply.  But still no "default" entry for the IPv6 table…

phil.davis

For the default gateway missing issue, You should do a gitsync or wait for a newer snapshot, see here: http://forum.pfsense.org/index.php/topic,58731.msg315026.html#msg315026
Hopefully, the next snap is on its way - there are a few people updated to the Feb 9 snaps which have this default gateway issue, and it would be good to stop any more from doing it. Perhaps this is another moment to pull the latest snaps off the server.

mrzaz

Regarding the default route issue, I have included the fix manually in the system.inc so that is working OK now.
BUT, there is still problem with IPv6 IPSec that is still not working.

As reported earlier I see this in the DEBUG racoon log.
Replaced some of the IP with "xxx" and "yyy" to protect my and my friends IP.  (xxx is local and yyy is remote host)

Feb 10 19:44:47 racoon: [*** KUNGSGATAN VPN IPv6]: [2001:470:27:yyy::2] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Feb 10 19:44:47 racoon: ERROR: failed to get sainfo.
Feb 10 19:44:47 racoon: ERROR: failed to get sainfo.
Feb 10 19:44:47 racoon: DEBUG: check and compare ids : id type mismatch IPv4_subnet != IPv6_subnet
Feb 10 19:44:47 racoon: DEBUG: evaluating sainfo: loc='192.168.120.0/24', rmt='2001:470:28:yyy::/64', peer='ANY', id=2
Feb 10 19:44:47 racoon: DEBUG: getsainfo params: loc='2001:470:28:xxx::/64' rmt='2001:470:28:yyy::/64' peer='2001:470:27:yyy::2' client='2001:470:27:yyy::2' id=2

The settings has not changed since it worked in earlier build a few days ago.

I have sent this info to "ermal" as well yesterday.
It looks like it is confusing and picking an IPv4 net insted of the IPv6 equivalent when using "LAN subnet" in the phase2 entry.
I have checked and the phase2 = "Tunnel IPv6".

To verify, I changed the setting from "LAN Subnet" into "Network" and entered the net manually
and now the tunnel is up working OK so it is for sure a bug in handling the interfaces where it gets
the wrong type. (ipv4 instead of ipv6)

/Dan

eri--

I pushed fixes specifically for this.
Can you gitsync and retry?

mrzaz

Don't have access to gitsync but I have now installed the "2.1-BETA1 (i386) built on Sun Feb 10 22:04:57 EST 2013".

And still get the:
"Feb 11 11:34:27 pfsense racoon: DEBUG: getsainfo params: loc='192.168.120.0/24' rmt='2001:470:28:54c::/64' peer='NULL' client='NULL' id=2"
and link does not come up.

I will wait and update to tomorrows build to see if the fixes is in then before I could confirm if it works or not.
(Now changed back to "Network" and entered the net manually and then the link came up without problem)

I am also seeing a weird problem that I previously reported regarding the "Connect VPN" button that had wrong "source=…" when used with IPv6.
It was suppose to have been fixed and some checkins has been done.

The strange part is that sometimes it shows an "source=<ipv6address>" but sometimes it shows an "source=<ipv4address>".
And nothing had changed between when it shows IPv6 or IPv4.   (it's an all IPv6 phase1 and 2 IPSec using tunnel6)

//Danne</ipv4address></ipv6address>

eri--

Yeah i should have fixed that as well.

You can copy /etc/inc/vpn.inc and /etc/inc/ipsec.inc to your box if you just need to test and /usr/local/www/diag_ipsec.php for testing locally from github.

mrzaz

I have now tested to download the vpn.inc, ipsec.inc and diag_ipsec.php from github and replaced them in my pfSense.
So far it seems to have fixed both problems.  I will monitor this for a while to see that it keeps stable and report back
to you if I found any remaining problems related to this.  New faults will be opened in new threads for better visibility.

Thanks for fixing this.  This is still beta code so these kinds of things happens. :-)  (check my onelineer in my profile.  BEER  ;-)

//Danne