Phase 1 IPv6 broken with IPSec remote access

  • I was delighted to see that a complete dual-stack IPSec implementation is now possible in 2.4.3. In testing, I added IPv6 to my phases 1 and 2. This is a remote access configuration with no split tunnel. The end goal here is to deliver dual-stack connectivity within the tunnel to clients, while enabling clients on IPv4-only and dual-stack WAN connections to reach pfSense using IPv6 if available, and fall back to IPv4 when not available.

    Anyway, IPv6-in-IPv4 worked perfectly. As long as I only use IPv4 for phase 1, everything works and I can tunnel IPv4 and IPv6 traffic.

    However, if I use an IPv6 phase 1, no traffic will traverse the tunnel. I can get a phase 1 and 2 negotiation to complete, but IPv4 and v6 traffic will not make it to any host, including LAN hosts on next-hop subnets with pass any-any rules in between. Oddly, the client is receiving v4 and v6 addresses from the pools configured. I even grabbed a pcap and can see the negotiation set up and ESPs flowing both directions. But ping to the next hop times out, connections to a next hop LAN web server fail, and routing back out to the Internet is a no-go, too.

    Is this a known issue, or am I missing something here? I've triple checked firewall rules. Given that the tunnel is building and the client has IPs, I suspect it's a routing issue – it's the only thing I can't seem to completely rule out. I would certainly appreciate any guidance or confirmation of known issues or caveats with an IPv6 phase 1.

  • Same here, we have awaited the dual stack endpoint because of problems with UDP Fragments and NAT on IPv4, but we could not finish phase 1 with IPv6. It looks like pfSense does not fragment oversized outgoing IPv6 packets created from charon at all but simply drop them :-(

  • By me phase 1 could not be finished on IPv6 single stack VPN on pfSense 2.4.2-p1 if the host was behind another firewall:

Log in to reply