IPv6, IKEv2, win10: host behind another firewall cannot connect to the VPN
-
Hello,
I have configured IPsec IKEv2 road warrior VPN over IPv6 on a pfSense 2.4.2-RELEASE-p1 box. I have tested it on a host, which was directly in an Ineternt segment. Everything was ok.
On a host behind an(other) firewall, the connection process started successfully, but then no IKE_AUTH request seemed to be received by the host. Starting from this point, pfSense got "retransmit of request with ID 1", answers, and after some time initiated an timeout error.
I played with different values of MSS: 1000, 1340. It did not help. The first host could establish IPsec connection, the second - not.
On another pfSense box (2.3.5-RELEASE-p1) I have IPsec (IKEv2) over IPv4. Both hosts can establish connection to the VPN.
Could you please suggest, what could be done, to fix the problem?
Best regards
yarick123P.S. Here are pfSense logs for the second host:
Mar 22 16:08:03 charon 13[NET] <10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[500] to 2003:c8:4011:8000::2[500] (616 bytes) Mar 22 16:08:03 charon 13[ENC] <10> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Mar 22 16:08:03 charon 13[IKE] <10> received MS NT5 ISAKMPOAKLEY v9 vendor ID Mar 22 16:08:03 charon 13[IKE] <10> received MS-Negotiation Discovery Capable vendor ID Mar 22 16:08:03 charon 13[IKE] <10> received Vid-Initial-Contact vendor ID Mar 22 16:08:03 charon 13[ENC] <10> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Mar 22 16:08:03 charon 13[IKE] <10> 2a02:810c:c1bf:f788:71:4cb0:eb92:af04 is initiating an IKE_SA Mar 22 16:08:03 charon 13[IKE] <10> sending cert request for "yyyyy" Mar 22 16:08:03 charon 13[ENC] <10> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Mar 22 16:08:03 charon 13[NET] <10> sending packet: from 2003:c8:4011:8000::2[500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[500] (337 bytes) Mar 22 16:08:03 charon 13[NET] <10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes) Mar 22 16:08:03 charon 13[ENC] <10> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Mar 22 16:08:03 charon 13[IKE] <10> received cert request for "yyyyy" Mar 22 16:08:03 charon 13[IKE] <10> received 53 cert requests for an unknown ca Mar 22 16:08:03 charon 13[CFG] <10> looking for peer configs matching 2003:c8:4011:8000::2[%any]...2a02:810c:c1bf:f788:71:4cb0:eb92:af04[2a02:810c:c1bf:f788:71:4cb0:eb92:af04] Mar 22 16:08:03 charon 13[CFG] <con1|10>selected peer config 'con1' Mar 22 16:08:03 charon 13[IKE] <con1|10>initiating EAP_IDENTITY method (id 0x00) Mar 22 16:08:03 charon 13[IKE] <con1|10>peer supports MOBIKE Mar 22 16:08:03 charon 13[IKE] <con1|10>authentication of '2003:c8:4011:8000::2' (myself) with RSA signature successful Mar 22 16:08:03 charon 13[IKE] <con1|10>sending end entity cert "xxxx" Mar 22 16:08:03 charon 13[ENC] <con1|10>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Mar 22 16:08:03 charon 13[NET] <con1|10>sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes) Mar 22 16:08:04 charon 13[NET] <con1|10>received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes) Mar 22 16:08:04 charon 13[ENC] <con1|10>parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Mar 22 16:08:04 charon 13[IKE] <con1|10>received retransmit of request with ID 1, retransmitting response Mar 22 16:08:04 charon 13[NET] <con1|10>sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes) Mar 22 16:08:05 charon 13[NET] <con1|10>received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes) Mar 22 16:08:05 charon 13[ENC] <con1|10>parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Mar 22 16:08:05 charon 13[IKE] <con1|10>received retransmit of request with ID 1, retransmitting response Mar 22 16:08:05 charon 13[NET] <con1|10>sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes) Mar 22 16:08:33 charon 11[JOB] <con1|10>deleting half open IKE_SA with 2a02:810c:c1bf:f788:71:4cb0:eb92:af04 after timeout</con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10>
Here are pfSense logs for the first host, which establishes the VPN connection without problems:
Mar 22 16:58:44 charon 07[NET] <11> received packet: from 2003:c8:4011:8000::56[500] to 2003:c8:4011:8000::2[500] (616 bytes) Mar 22 16:58:44 charon 07[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Mar 22 16:58:44 charon 07[IKE] <11> received MS NT5 ISAKMPOAKLEY v9 vendor ID Mar 22 16:58:44 charon 07[IKE] <11> received MS-Negotiation Discovery Capable vendor ID Mar 22 16:58:44 charon 07[IKE] <11> received Vid-Initial-Contact vendor ID Mar 22 16:58:44 charon 07[ENC] <11> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Mar 22 16:58:44 charon 07[IKE] <11> 2003:c8:4011:8000::56 is initiating an IKE_SA Mar 22 16:58:44 charon 07[IKE] <11> sending cert request for "yyyyy" Mar 22 16:58:44 charon 07[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Mar 22 16:58:44 charon 07[NET] <11> sending packet: from 2003:c8:4011:8000::2[500] to 2003:c8:4011:8000::56[500] (337 bytes) Mar 22 16:58:44 charon 07[NET] <11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (1056 bytes) Mar 22 16:58:44 charon 07[ENC] <11> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Mar 22 16:58:44 charon 07[IKE] <11> received cert request for "yyyyy" Mar 22 16:58:44 charon 07[IKE] <11> received 33 cert requests for an unknown ca Mar 22 16:58:44 charon 07[CFG] <11> looking for peer configs matching 2003:c8:4011:8000::2[%any]...2003:c8:4011:8000::56[2003:c8:4011:8000::56] Mar 22 16:58:44 charon 07[CFG] <con1|11>selected peer config 'con1' Mar 22 16:58:44 charon 07[IKE] <con1|11>initiating EAP_IDENTITY method (id 0x00) Mar 22 16:58:44 charon 07[IKE] <con1|11>peer supports MOBIKE Mar 22 16:58:44 charon 07[IKE] <con1|11>authentication of '2003:c8:4011:8000::2' (myself) with RSA signature successful Mar 22 16:58:44 charon 07[IKE] <con1|11>sending end entity cert "xxxxx" Mar 22 16:58:44 charon 07[ENC] <con1|11>generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Mar 22 16:58:44 charon 07[NET] <con1|11>sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (1712 bytes) Mar 22 16:58:44 charon 07[NET] <con1|11>received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (96 bytes) Mar 22 16:58:44 charon 07[ENC] <con1|11>parsed IKE_AUTH request 2 [ EAP/RES/ID ] Mar 22 16:58:44 charon 07[IKE] <con1|11>received EAP identity 'testuser' Mar 22 16:58:44 charon 07[IKE] <con1|11>initiating EAP_MSCHAPV2 method (id 0x8A) Mar 22 16:58:44 charon 07[ENC] <con1|11>generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Mar 22 16:58:44 charon 07[NET] <con1|11>sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (112 bytes) Mar 22 16:58:44 charon 07[NET] <con1|11>received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (144 bytes) Mar 22 16:58:44 charon 07[ENC] <con1|11>parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Mar 22 16:58:44 charon 07[ENC] <con1|11>generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Mar 22 16:58:44 charon 07[NET] <con1|11>sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (144 bytes) Mar 22 16:58:44 charon 07[NET] <con1|11>received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (80 bytes) Mar 22 16:58:44 charon 07[ENC] <con1|11>parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Mar 22 16:58:44 charon 07[IKE] <con1|11>EAP method EAP_MSCHAPV2 succeeded, MSK established Mar 22 16:58:44 charon 07[ENC] <con1|11>generating IKE_AUTH response 4 [ EAP/SUCC ] Mar 22 16:58:44 charon 07[NET] <con1|11>sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (80 bytes) Mar 22 16:58:44 charon 14[NET] <con1|11>received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (112 bytes) Mar 22 16:58:44 charon 14[ENC] <con1|11>parsed IKE_AUTH request 5 [ AUTH ] Mar 22 16:58:44 charon 14[IKE] <con1|11>authentication of '2003:c8:4011:8000::56' with EAP successful Mar 22 16:58:44 charon 14[IKE] <con1|11>authentication of '2003:c8:4011:8000::2' (myself) with EAP Mar 22 16:58:44 charon 14[IKE] <con1|11>IKE_SA con1[11] established between 2003:c8:4011:8000::2[2003:c8:4011:8000::2]...2003:c8:4011:8000::56[2003:c8:4011:8000::56] Mar 22 16:58:44 charon 14[IKE] <con1|11>scheduling reauthentication in 35221s Mar 22 16:58:44 charon 14[IKE] <con1|11>maximum IKE_SA lifetime 35761s Mar 22 16:58:44 charon 14[IKE] <con1|11>peer requested virtual IP %any Mar 22 16:58:44 charon 14[IKE] <con1|11>no virtual IP found for %any requested by 'testuser' Mar 22 16:58:44 charon 14[IKE] <con1|11>peer requested virtual IP fddf:c8:4011:11::1 Mar 22 16:58:44 charon 14[CFG] <con1|11>reassigning offline lease to 'testuser' Mar 22 16:58:44 charon 14[IKE] <con1|11>assigning virtual IP fddf:c8:4011:11::1 to peer 'testuser' Mar 22 16:58:44 charon 14[IKE] <con1|11>CHILD_SA con1{2} established with SPIs ca6b2145_i e8c59f9c_o and TS ::/0|/0 === fddf:c8:4011:11::1/128|/0 Mar 22 16:58:44 charon 14[ENC] <con1|11>generating IKE_AUTH response 5 [ AUTH CPRP(ADDR6 DNS6 U_DEFDOM U_SPLITDNS U_BANNER U_SAVEPWD) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] Mar 22 16:58:44 charon 14[NET] <con1|11>sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (480 bytes)</con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11></con1|11>
P.P.S. For the IPv4 the IKE_AUTH response 1 is even longer than 1712 bytes, but everything is o.k.:
Mar 22 16:12:22 charon 05[NET] <con4|3697>sending packet: from xxx.yyy.zzz.uuu[4500] to 77.21.251.9[31236] (1824 bytes) Mar 22 16:12:22 charon 05[NET] <con4|3697>received packet: from 77.21.251.9[31236] to xxx.yyy.zzz.uuu[4500] (96 bytes) Mar 22 16:12:22 charon 05[ENC] <con4|3697>parsed IKE_AUTH request 2 [ EAP/RES/ID ] Mar 22 16:12:22 charon 05[IKE] <con4|3697>received EAP identity 'testuser'</con4|3697></con4|3697></con4|3697></con4|3697>
-
We also have this problem and a dump on the WAN interface does not show any sign of the "oversized" packet listed here
Mar 22 16:08:04 charon 13[NET] <con1|10>sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes)
So it looks like charon is creating the packet and pfSense should fragment it before sending, but simply drop it to the floor without notice. Is there any setting to enable/disable fragments with IPv6?
Regards
Andi</con1|10>
-
…
So it looks like charon is creating the packet and pfSense should fragment it before sending, but simply drop it to the floor without notice. Is there any setting to enable/disable fragments with IPv6?there is a System Tunable net.inet.udp.maxdgram, default value 57344 . It is much greater as 1712 …
And in my case everything works under IPv4 . -
The IPv4 case also works for us. With IPv4 the charon also creates packets bigger than 1500 bytes, but they get fragmented at the outgoing interface as they should and as seen in a interface dump. With IPv6 a dump on the same interface simply shows nothing for the packet in question…
That's why i suspect that pfSense does not do any fragmentation for IPv6.