LAN->IPSec Routing Prob: IPSec IPv6 w. several public IPv6 Addressranges



  • Hi,

    I got an IPv6 IPsec Routing Problem, which I don't know how to solve.

    The Setup:

    I got myself a /48 IPv6 Subnet in a datacenter, routet on a server with inux dummfug 4.7.0-0.bpo.1-686-pae #1 SMP Debian 4.7.2-1~bpo8+1 (2016-09-07) i686 GNU/Linux  and Strongswan 5.5.0.

    I set up Strongswan to make a IPSec Connecction with my pfsense Box, which is 2.3.2-RELEASE-p1 since yesterday.

    The Phase1 and Phase2 Connections work flawlessly. pfsense initiates a connection, and I got the  a  left-right Network to  ::0/0 Network and  2a00:128:a0a:1000::/56 ad vice a versa.

    On my Interface "Experimental" aka bge0_vlan40  I set up an IPv6 Address like 2a00:128:a0a:1000::222.

    In the "EXPERIMENTAL" Network, everything works fine:

    
     ping6 -I bge0_vlan40 www.google.com
    PING6(56=40+8+8 bytes) 2a00:128:a0a:1000::222 --> 2a00:1450:4001:819::2004
    16 bytes from 2a00:1450:4001:819::2004, icmp_seq=0 hlim=57 time=41.909 ms
    16 bytes from 2a00:1450:4001:819::2004, icmp_seq=1 hlim=57 time=41.843 ms
    16 bytes from 2a00:1450:4001:819::2004, icmp_seq=2 hlim=57 time=41.406 ms
    16 bytes from 2a00:1450:4001:819::2004, icmp_seq=3 hlim=57 time=41.681 ms
    16 bytes from 2a00:1450:4001:819::2004, icmp_seq=4 hlim=57 time=41.604 ms
    ^C
    --- www.google.com ping6 statistics ---
    5 packets transmitted, 5 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 41.406/41.689/41.909/0.179 ms
    
    

    I have also connected several other Hosts on the LAN Site of the "EXperimental"-IPsec'ed-Network the and every host gets an IPv6  Address and connectes to my IPSec IPv6 Network in my Datacenter.  External Access (from any other IPv6 Network in the world which is NOT another interface of my pfsense Box :-)) to those Nodes works flawlessly as well - so IPsec and the routing from external to "internal" IPsec Adresses  works very well.

    BUT one (big) issue remains:

    If I try to connect from my second IPv6 Network (Hurricane Electrics) which is also terminating on the pfsense box, I absolutely fail to set up the correct routing.

    Here is my pfsense Network Conifg - slightly anonymized:

    WAN (wan)       -> pppoe0     -> v4/PPPoE: 217.222.22.22/32
                                      v6/6to4: 2003:49ee:330e::/16
     LAN (lan)       -> bge0_vlan10 -> v4: 192.168.64.254/24
                                      v6: 2003:a70:ab0:babe::254/64
     DMZ (opt1)      -> bge0_vlan20 -> v4: 192.168.65.254/24
                                      v6: 2003:a70:ab0:face::254/64
     VDSLNEIGHBOR (opt2) -> bge0_vlan30 -> v4: 192.168.49.250/24
                                      v6/DHCP6: 2003:c0:deec:cee0:ee:1eff:fe2e:6011/64
     VDSLMODEM (opt3) -> re0        -> v4: 192.168.100.254/24
     HURRICANEELECTICS (opt4) -> gif0       -> v6: 2001:111:2222:333::2/128
     EXPERIMENTAL (opt5) -> bge0_vlan40 -> v4: 192.168.6.2/24
                                      v6: 2a00:128:a0a:1000::222/56
     LTEBACKUP (opt6) -> bge0_vlan60 -> v4: 192.168.16.19/24
    
    

    So when I try to make any connection from 2003:a70:ab0:babe::254/64  or 2003:a70:ab0:face::254/64  it is not correctly routet to the "EXPERIMENTAL" IPv6 Subnet

    When I ping6 the 2a00:128:a0a:1000::222 host from LAN or DMZ that is what tcpdump shows on bge0_vlan40 on pfsense: -NOTHING-

    tcpdump -nnfi bge0_vlan40
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on bge0_vlan40, link-type EN10MB (Ethernet), capture size 65535 bytes
    09:15:21.957898 IP6 fe80::210:18ff:fe2e:6011 > ff02::1: ICMP6, router advertisement, length 200
    09:15:27.631295 IP6 fe80::92f6:52ff:fec3:9cdc > ff02::1: HBH ICMP6, multicast listener querymax resp delay: 10000 addr: ::, length 24
    09:15:31.012555 IP6 fe80::ea40:f2ff:fe05:ef24 > ff02::1:ff05:ef24: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:ff05:ef24, length 24
    09:15:31.227803 IP6 fe80::210:18ff:fe2e:6011 > ff02::1:ff2e:6011: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:ff2e:6011, length 24
    09:15:32.427828 IP6 fe80::210:18ff:fe2e:6011 > ff02::2:8329:8440: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::2:8329:8440, length 24
    ^C
    5 packets captured
    5 packets received by filter
    0 packets dropped by kernel
    
    

    But it arrives correctly  only on bge0_vlan10 (LAN VLAN):

    
    tcpdump -nnfi bge0_vlan10 host 2003:a70:ab0:babe::111
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on bge0_vlan10, link-type EN10MB (Ethernet), capture size 65535 bytes
    09:17:04.627761 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 11, length 64
    09:17:05.635819 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 12, length 64
    09:17:06.643770 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 13, length 64
    09:17:07.643745 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 14, length 64
    09:17:08.281501 IP6 2003:a70:ab0:babe::111.35200 > 2a00:1450:400c:c06::bc.5228: Flags [.], ack 3318031473, win 1093, options [nop,nop,TS val 13131136 ecr 164818157], length 0
    09:17:08.323299 IP6 2a00:1450:400c:c06::bc.5228 > 2003:a70:ab0:babe::111.35200: Flags [.], ack 1, win 371, options [nop,nop,TS val 164863213 ecr 13097322], length 0
    09:17:08.651750 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 15, length 64
    09:17:09.659645 IP6 2003:a70:ab0:babe::111 > 2a00:128:a0a:1000::222: ICMP6, echo request, seq 16, length 64
    ^C
    8 packets captured
    71 packets received by filter
    0 packets dropped by kernel
    

    There is also absolutely no firewall rule which prevents  that - though ICMPv6 is globally allowed as well, I double or triple checked the blocked entries in the log and disabled the firewall
    completely (also by an any <-> any rule)

    It is not blocked:

    LAN	ipv6-icmp	2003:a70:ab0:babe::111[6681] -> 2a00:128:a0a:1000::222[6681]	NO_TRAFFIC:NO_TRAFFIC	44 / 0	4 KiB / 0 B
    

    First I assumed because I wanted to route all traffic of the Subnet to the IPSec tunnel the ::0/0  routing would be problematic.
    But, even if that is the reason, tcpdump should show incoming icmp requests on the "Experimental" Interface bge0_vlan40 - but it does not.

    On Linux Strongswan creates an iptable 220 where the ipsec routing is maintained. Does FreeBSD's Strongwan does something like this, too? Or maybe is the ipsec routing not
    really maintainable on the pfsense gui and done more or less automatically in the background?

    Would be really nice if someone could explain what pfsense/FreeBSD is doing there, or/and where my thinking error is.

    Thanks a lot in advance!

    Cheers,

    4920441


Log in to reply