Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Phase 1 IPv6 broken with IPSec remote access

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 517 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xpxp2002
      last edited by

      I was delighted to see that a complete dual-stack IPSec implementation is now possible in 2.4.3. In testing, I added IPv6 to my phases 1 and 2. This is a remote access configuration with no split tunnel. The end goal here is to deliver dual-stack connectivity within the tunnel to clients, while enabling clients on IPv4-only and dual-stack WAN connections to reach pfSense using IPv6 if available, and fall back to IPv4 when not available.

      Anyway, IPv6-in-IPv4 worked perfectly. As long as I only use IPv4 for phase 1, everything works and I can tunnel IPv4 and IPv6 traffic.

      However, if I use an IPv6 phase 1, no traffic will traverse the tunnel. I can get a phase 1 and 2 negotiation to complete, but IPv4 and v6 traffic will not make it to any host, including LAN hosts on next-hop subnets with pass any-any rules in between. Oddly, the client is receiving v4 and v6 addresses from the pools configured. I even grabbed a pcap and can see the negotiation set up and ESPs flowing both directions. But ping to the next hop times out, connections to a next hop LAN web server fail, and routing back out to the Internet is a no-go, too.

      Is this a known issue, or am I missing something here? I've triple checked firewall rules. Given that the tunnel is building and the client has IPs, I suspect it's a routing issue – it's the only thing I can't seem to completely rule out. I would certainly appreciate any guidance or confirmation of known issues or caveats with an IPv6 phase 1.

      1 Reply Last reply Reply Quote 0
      • L
        lst_hoe
        last edited by

        Same here, we have awaited the dual stack endpoint because of problems with UDP Fragments and NAT on IPv4, but we could not finish phase 1 with IPv6. It looks like pfSense does not fragment oversized outgoing IPv6 packets created from charon at all but simply drop them :-(

        1 Reply Last reply Reply Quote 0
        • Y
          yarick123
          last edited by

          By me phase 1 could not be finished on IPv6 single stack VPN on pfSense 2.4.2-p1 if the host was behind another firewall:

          https://forum.pfsense.org/index.php?topic=145581.0

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.