Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using IPSec tunnel for IPv6 default GW doesn't work for self-traffic to firewall

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 631 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mhcptg
      last edited by

      I have some environments where I want to support IPv6 traffic, but the Internet inside the environment is IPv4 only.

      So I configured IPSec with IKEv2, where you can tunnel IPv4 and IPv6 across IPv4. Awesome! Or so it would seem…

      For the IPv4 traffic everything works OK, because you are only routing some specific source subnet, to a specific destination subnet.

      For the IPv6 traffic, I ran into really weird issues. To get working IPv6 in these environments, you need to configure a Phase 2 with your source subnet of IPv6s from your global allocation, to the destination subnet ::/0, to use the tunnel as a default (last-chance) route. Everything works fine this way, except that when you try to ping the firewall itself, or use the firewall as your DNS server (like PFSense's default), the traffic gets misrouted down the tunnel when it should be sent locally, for example:

      
$ sudo tcpdump -n -i enc0
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 65535 bytes
18:33:30.855097 (authentic,confidential): SPI 0xce4624b5: IP6 2001:470:3d:201::1 > 2001:470:3d:201:e4d:e9ff:fec3:6be7: ICMP6, neighbor advertisement, tgt is 2001:470:3d:201::1, length 32

      So, as you can see here, ICMPv6 traffic for a test ping is coming from the client to the firewall (which is trying to get back the other direction, with some NDP that should followed by an eventual ping reply), but the firewall misroutes the reply traffic, which should have a local routing table entry (directly connected to my OPT1 interface) across the tunnel instead, and I cannot figure out how to make it stop doing that.

      I tried to follow the advice coming from these documents but neither seems to cover this case well enough to figure out what to do:

      https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

      This only covers when the firewall itself can't get to stuff. But for me the clients can't.

      https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel

      This document covers how to do it in IPv4. But it doesn't discuss enough about IPv6, Policy Based Routing, Routing Priority between the Routing Table, and the IPSec selectors, etc. to determine why the route priority is wrong, and the tunnel gets used before the local routing table does, which is obviously broken.

      I tried to see about configuring a PBR rule, which set "source: this firewall", "destination: the OPT1 subnet", or something similar to override the weird priority of the IPSec selectors, etc. but the PFSense screens don't have any entry for "source: this firewall" so it didn't work. It's sad, because if the problem happened from client to firewall, it's easy to configure PBR for that, and it would probably fix the issue.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.