IPv6 IKEv1 tunnel not established if FQDN is used as Remote Gateway



  • Hello,

    I change the Remote Gateway on pfSense's side of a perfectly working IPv6 IKEv1 tunnel from an IP [v6] address to a FQDN and Phase 1 can not be established anymore.

    I expect that the tunnel works exactly as before because everything in Phase 1 Proposal (Authentication) section, in particular My Identifier and Peer Identifier, as well as Phase 1 Proposal (Encryption) section, and everything on the peer's side, remains untouched.

    A IKEv1 tunnel I've setup the same way, except that's IPv4, works.

    I think this is a bug on pfSense's side. But I'm open to any thought and suggestion.

    Thank you.


    Details:

    • My pfSense is v2.4.4 - RELEASE p3.

    • Peer is unidentified. (It's a GPON router, installed by the ISP whose logo is printed as the official manufacturer, without reference to the [true] manufacturer. My best guess is it's a rebranded model of Huawei.)

    • Phase 1 uses IKEv1, IPv6.

    • Phase 1 uses Mutual PSK in Main Mode, My IP Address as My Identifier, and Peer IP Address as Peer Identifier.

    • I've checked (by Diagnostics / DNS Lookup tool) that the pfSense machine can resolve the FQDN and it resolves to the correct IPv6 address, and nothing else.



  • This is the relevant part of pfSense's IPsec log. IP addresses were redacted.

    Jan 11 12:10:55 	charon 		08[IKE] <60> 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV is initiating a Main Mode IKE_SA
    Jan 11 12:10:55 	charon 		08[CFG] <60> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    Jan 11 12:10:55 	charon 		08[ENC] <60> generating ID_PROT response 0 [ SA V V ]
    Jan 11 12:10:55 	charon 		08[NET] <60> sending packet: from 2YYY:800:637a:b7a0:UUUU:UUUU:UUUU:UUUU[500] to 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV[500] (116 bytes)
    Jan 11 12:10:55 	charon 		08[NET] <60> received packet: from 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV[500] to 2YYY:800:637a:b7a0:UUUU:UUUU:UUUU:UUUU[500] (308 bytes)
    Jan 11 12:10:55 	charon 		08[ENC] <60> parsed ID_PROT request 0 [ KE No ]
    Jan 11 12:10:55 	charon 		08[ENC] <60> generating ID_PROT response 0 [ KE No ]
    Jan 11 12:10:55 	charon 		08[NET] <60> sending packet: from 2YYY:800:637a:b7a0:UUUU:UUUU:UUUU:UUUU[500] to 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV[500] (324 bytes)
    Jan 11 12:10:56 	charon 		10[NET] <60> received packet: from 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV[500] to 2YYY:800:637a:b7a0:UUUU:UUUU:UUUU:UUUU[500] (92 bytes)
    Jan 11 12:10:56 	charon 		10[ENC] <60> invalid ID_V1 payload length, decryption failed?
    Jan 11 12:10:56 	charon 		10[ENC] <60> could not decrypt payloads
    Jan 11 12:10:56 	charon 		10[IKE] <60> message parsing failed
    Jan 11 12:10:56 	charon 		10[ENC] <60> generating INFORMATIONAL_V1 request 1533072011 [ HASH N(PLD_MAL) ]
    Jan 11 12:10:56 	charon 		10[NET] <60> sending packet: from 2YYY:800:637a:b7a0:UUUU:UUUU:UUUU:UUUU[500] to 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV[500] (76 bytes)
    Jan 11 12:10:56 	charon 		10[IKE] <60> ID_PROT request with message ID 0 processing failed 
    

  • Rebel Alliance Developer Netgate

    It's a known issue. At the moment it's hardcoded to only look for A records in that role: https://redmine.pfsense.org/issues/9405



  • @jimp Thanks. I'm glad hearing that it is known and somebody is working on it. Can't wait for pfSense v2.5.


Log in to reply