IPv6, IKEv2, win10: host behind another firewall cannot connect to the VPN



  • Hello,

    I have configured IPsec IKEv2 road warrior VPN over IPv6 on a pfSense 2.4.2-RELEASE-p1 box. I have tested it on a host, which was directly in an Ineternt segment. Everything was ok.

    On a host behind an(other) firewall, the connection process started successfully, but then no IKE_AUTH request seemed to be received by the host. Starting from this point, pfSense got "retransmit of request with ID 1", answers, and after some time initiated an timeout error.

    I played with different values of MSS: 1000, 1340.  It did not help. The first host could establish IPsec connection, the second - not.

    On another pfSense box (2.3.5-RELEASE-p1) I have IPsec (IKEv2) over IPv4. Both hosts can establish connection to the VPN.

    Could you please suggest, what could be done, to fix the problem?

    Best regards
    yarick123

    P.S. Here are pfSense logs for the second host:

    
    Mar 22 16:08:03 charon          13[NET] <10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[500] to 2003:c8:4011:8000::2[500] (616 bytes)
    Mar 22 16:08:03 charon          13[ENC] <10> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Mar 22 16:08:03 charon          13[IKE] <10> received MS NT5 ISAKMPOAKLEY v9 vendor ID
    Mar 22 16:08:03 charon          13[IKE] <10> received MS-Negotiation Discovery Capable vendor ID
    Mar 22 16:08:03 charon          13[IKE] <10> received Vid-Initial-Contact vendor ID
    Mar 22 16:08:03 charon          13[ENC] <10> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Mar 22 16:08:03 charon          13[IKE] <10> 2a02:810c:c1bf:f788:71:4cb0:eb92:af04 is initiating an IKE_SA
    Mar 22 16:08:03 charon          13[IKE] <10> sending cert request for "yyyyy"
    Mar 22 16:08:03 charon          13[ENC] <10> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Mar 22 16:08:03 charon          13[NET] <10> sending packet: from 2003:c8:4011:8000::2[500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[500] (337 bytes)
    Mar 22 16:08:03 charon          13[NET] <10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes)
    Mar 22 16:08:03 charon          13[ENC] <10> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Mar 22 16:08:03 charon          13[IKE] <10> received cert request for "yyyyy"
    Mar 22 16:08:03 charon          13[IKE] <10> received 53 cert requests for an unknown ca
    Mar 22 16:08:03 charon          13[CFG] <10> looking for peer configs matching 2003:c8:4011:8000::2[%any]...2a02:810c:c1bf:f788:71:4cb0:eb92:af04[2a02:810c:c1bf:f788:71:4cb0:eb92:af04]
    Mar 22 16:08:03 charon          13[CFG] <con1|10>selected peer config 'con1'
    Mar 22 16:08:03 charon          13[IKE] <con1|10>initiating EAP_IDENTITY method (id 0x00)
    Mar 22 16:08:03 charon          13[IKE] <con1|10>peer supports MOBIKE
    Mar 22 16:08:03 charon          13[IKE] <con1|10>authentication of '2003:c8:4011:8000::2' (myself) with RSA signature successful
    Mar 22 16:08:03 charon          13[IKE] <con1|10>sending end entity cert "xxxx"
    Mar 22 16:08:03 charon          13[ENC] <con1|10>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    Mar 22 16:08:03 charon          13[NET] <con1|10>sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes)
    Mar 22 16:08:04 charon          13[NET] <con1|10>received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes)
    Mar 22 16:08:04 charon          13[ENC] <con1|10>parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Mar 22 16:08:04 charon          13[IKE] <con1|10>received retransmit of request with ID 1, retransmitting response
    Mar 22 16:08:04 charon          13[NET] <con1|10>sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes)
    Mar 22 16:08:05 charon          13[NET] <con1|10>received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes)
    Mar 22 16:08:05 charon          13[ENC] <con1|10>parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Mar 22 16:08:05 charon          13[IKE] <con1|10>received retransmit of request with ID 1, retransmitting response
    Mar 22 16:08:05 charon          13[NET] <con1|10>sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes)
    Mar 22 16:08:33 charon          11[JOB] <con1|10>deleting half open IKE_SA with 2a02:810c:c1bf:f788:71:4cb0:eb92:af04 after timeout</con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10> 
    

    Here are pfSense logs for the first host, which establishes the VPN connection without problems:

    
    Mar 22 16:58:44 charon          07[NET] <11> received packet: from 2003:c8:4011:8000::56[500] to 2003:c8:4011:8000::2[500] (616 bytes)
    Mar 22 16:58:44 charon          07[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Mar 22 16:58:44 charon          07[IKE] <11> received MS NT5 ISAKMPOAKLEY v9 vendor ID
    Mar 22 16:58:44 charon          07[IKE] <11> received MS-Negotiation Discovery Capable vendor ID
    Mar 22 16:58:44 charon          07[IKE] <11> received Vid-Initial-Contact vendor ID
    Mar 22 16:58:44 charon          07[ENC] <11> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Mar 22 16:58:44 charon          07[IKE] <11> 2003:c8:4011:8000::56 is initiating an IKE_SA
    Mar 22 16:58:44 charon          07[IKE] <11> sending cert request for "yyyyy"
    Mar 22 16:58:44 charon          07[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Mar 22 16:58:44 charon          07[NET] <11> sending packet: from 2003:c8:4011:8000::2[500] to 2003:c8:4011:8000::56[500] (337 bytes)
    Mar 22 16:58:44 charon          07[NET] <11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (1056 bytes)
    Mar 22 16:58:44 charon          07[ENC] <11> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Mar 22 16:58:44 charon          07[IKE] <11> received cert request for "yyyyy"
    Mar 22 16:58:44 charon          07[IKE] <11> received 33 cert requests for an unknown ca
    Mar 22 16:58:44 charon          07[CFG] <11> looking for peer configs matching 2003:c8:4011:8000::2[%any]...2003:c8:4011:8000::56[2003:c8:4011:8000::56]
    Mar 22 16:58:44 charon          07[CFG] <con1|11>selected peer config 'con1'
    Mar 22 16:58:44 charon          07[IKE] <con1|11>initiating EAP_IDENTITY method (id 0x00)
    Mar 22 16:58:44 charon          07[IKE] <con1|11>peer supports MOBIKE
    Mar 22 16:58:44 charon          07[IKE] <con1|11>authentication of '2003:c8:4011:8000::2' (myself) with RSA signature successful
    Mar 22 16:58:44 charon          07[IKE] <con1|11>sending end entity cert "xxxxx"
    Mar 22 16:58:44 charon          07[ENC] <con1|11>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
    Mar 22 16:58:44 charon          07[NET] <con1|11>sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (1712 bytes)
    Mar 22 16:58:44 charon          07[NET] <con1|11>received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (96 bytes)
    Mar 22 16:58:44 charon          07[ENC] <con1|11>parsed IKE_AUTH request 2 [ EAP/RES/ID ]
    Mar 22 16:58:44 charon          07[IKE] <con1|11>received EAP identity 'testuser'
    Mar 22 16:58:44 charon          07[IKE] <con1|11>initiating EAP_MSCHAPV2 method (id 0x8A)
    Mar 22 16:58:44 charon          07[ENC] <con1|11>generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
    Mar 22 16:58:44 charon          07[NET] <con1|11>sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (112 bytes)
    Mar 22 16:58:44 charon          07[NET] <con1|11>received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (144 bytes)
    Mar 22 16:58:44 charon          07[ENC] <con1|11>parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
    Mar 22 16:58:44 charon          07[ENC] <con1|11>generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
    Mar 22 16:58:44 charon          07[NET] <con1|11>sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (144 bytes)
    Mar 22 16:58:44 charon          07[NET] <con1|11>received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (80 bytes)
    Mar 22 16:58:44 charon          07[ENC] <con1|11>parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
    Mar 22 16:58:44 charon          07[IKE] <con1|11>EAP method EAP_MSCHAPV2 succeeded, MSK established
    Mar 22 16:58:44 charon          07[ENC] <con1|11>generating IKE_AUTH response 4 [ EAP/SUCC ]
    Mar 22 16:58:44 charon          07[NET] <con1|11>sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (80 bytes)
    Mar 22 16:58:44 charon          14[NET] <con1|11>received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (112 bytes)
    Mar 22 16:58:44 charon          14[ENC] <con1|11>parsed IKE_AUTH request 5 [ AUTH ]
    Mar 22 16:58:44 charon          14[IKE] <con1|11>authentication of '2003:c8:4011:8000::56' with EAP successful
    Mar 22 16:58:44 charon          14[IKE] <con1|11>authentication of '2003:c8:4011:8000::2' (myself) with EAP
    Mar 22 16:58:44 charon          14[IKE] <con1|11>IKE_SA con1[11] established between 2003:c8:4011:8000::2[2003:c8:4011:8000::2]...2003:c8:4011:8000::56[2003:c8:4011:8000::56]
    Mar 22 16:58:44 charon          14[IKE] <con1|11>scheduling reauthentication in 35221s
    Mar 22 16:58:44 charon          14[IKE] <con1|11>maximum IKE_SA lifetime 35761s
    Mar 22 16:58:44 charon          14[IKE] <con1|11>peer requested virtual IP %any
    Mar 22 16:58:44 charon          14[IKE] <con1|11>no virtual IP found for %any requested by 'testuser'
    Mar 22 16:58:44 charon          14[IKE] <con1|11>peer requested virtual IP fddf:c8:4011:11::1
    Mar 22 16:58:44 charon          14[CFG] <con1|11>reassigning offline lease to 'testuser'
    Mar 22 16:58:44 charon          14[IKE] <con1|11>assigning virtual IP fddf:c8:4011:11::1 to peer 'testuser'
    Mar 22 16:58:44 charon          14[IKE] <con1|11>CHILD_SA con1{2} established with SPIs ca6b2145_i e8c59f9c_o and TS ::/0|/0 === fddf:c8:4011:11::1/128|/0
    Mar 22 16:58:44 charon          14[ENC] <con1|11>generating IKE_AUTH response 5 [ AUTH CPRP(ADDR6 DNS6 U_DEFDOM U_SPLITDNS U_BANNER U_SAVEPWD) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
    Mar 22 16:58:44 charon          14[NET] <con1|11>sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (480 bytes)</con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11> 
    

    P.P.S. For the IPv4 the IKE_AUTH response  1 is even longer than 1712 bytes, but everything is o.k.:

    
    Mar 22 16:12:22 charon          05[NET] <con4|3697>sending packet: from xxx.yyy.zzz.uuu[4500] to 77.21.251.9[31236] (1824 bytes)
    Mar 22 16:12:22 charon          05[NET] <con4|3697>received packet: from 77.21.251.9[31236] to xxx.yyy.zzz.uuu[4500] (96 bytes)
    Mar 22 16:12:22 charon          05[ENC] <con4|3697>parsed IKE_AUTH request 2 [ EAP/RES/ID ]
    Mar 22 16:12:22 charon          05[IKE] <con4|3697>received EAP identity 'testuser'</con4|3697></con4|3697></con4|3697></con4|3697> 
    


  • We also have this problem and a dump on the WAN interface does not show any sign of the "oversized" packet listed here

    Mar 22 16:08:04 charon          13[NET] <con1|10>sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes)

    So it looks like charon is creating the packet and pfSense should fragment it before sending, but simply drop it to the floor without notice. Is there any setting to enable/disable fragments with IPv6?

    Regards

    Andi</con1|10>



  • @lst_hoe:


    So it looks like charon is creating the packet and pfSense should fragment it before sending, but simply drop it to the floor without notice. Is there any setting to enable/disable fragments with IPv6?

    there is a System Tunable  net.inet.udp.maxdgram, default value 57344 . It is much greater as 1712 …
    And in my case everything works under IPv4 .



  • The IPv4 case also works for us. With IPv4 the charon also creates packets bigger than 1500 bytes, but they get fragmented at the outgoing interface as they should and as seen in a interface dump. With IPv6 a dump on the same interface simply shows nothing for the packet in question…
    That's why i suspect that pfSense does not do any fragmentation for IPv6.