IPv6 IKEv1 tunnel not established if FQDN is used as Remote Gateway
-
Hello,
I change the Remote Gateway on pfSense's side of a perfectly working IPv6 IKEv1 tunnel from an IP [v6] address to a FQDN and Phase 1 can not be established anymore.
I expect that the tunnel works exactly as before because everything in Phase 1 Proposal (Authentication) section, in particular My Identifier and Peer Identifier, as well as Phase 1 Proposal (Encryption) section, and everything on the peer's side, remains untouched.
A IKEv1 tunnel I've setup the same way, except that's IPv4, works.
I think this is a bug on pfSense's side. But I'm open to any thought and suggestion.
Thank you.
Details:
-
My pfSense is v2.4.4 - RELEASE p3.
-
Peer is unidentified. (It's a GPON router, installed by the ISP whose logo is printed as the official manufacturer, without reference to the [true] manufacturer. My best guess is it's a rebranded model of Huawei.)
-
Phase 1 uses IKEv1, IPv6.
-
Phase 1 uses Mutual PSK in Main Mode, My IP Address as My Identifier, and Peer IP Address as Peer Identifier.
-
I've checked (by Diagnostics / DNS Lookup tool) that the pfSense machine can resolve the FQDN and it resolves to the correct IPv6 address, and nothing else.
-
-
This is the relevant part of pfSense's IPsec log. IP addresses were redacted.
Jan 11 12:10:55 charon 08[IKE] <60> 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV is initiating a Main Mode IKE_SA Jan 11 12:10:55 charon 08[CFG] <60> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 Jan 11 12:10:55 charon 08[ENC] <60> generating ID_PROT response 0 [ SA V V ] Jan 11 12:10:55 charon 08[NET] <60> sending packet: from 2YYY:800:637a:b7a0:UUUU:UUUU:UUUU:UUUU[500] to 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV[500] (116 bytes) Jan 11 12:10:55 charon 08[NET] <60> received packet: from 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV[500] to 2YYY:800:637a:b7a0:UUUU:UUUU:UUUU:UUUU[500] (308 bytes) Jan 11 12:10:55 charon 08[ENC] <60> parsed ID_PROT request 0 [ KE No ] Jan 11 12:10:55 charon 08[ENC] <60> generating ID_PROT response 0 [ KE No ] Jan 11 12:10:55 charon 08[NET] <60> sending packet: from 2YYY:800:637a:b7a0:UUUU:UUUU:UUUU:UUUU[500] to 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV[500] (324 bytes) Jan 11 12:10:56 charon 10[NET] <60> received packet: from 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV[500] to 2YYY:800:637a:b7a0:UUUU:UUUU:UUUU:UUUU[500] (92 bytes) Jan 11 12:10:56 charon 10[ENC] <60> invalid ID_V1 payload length, decryption failed? Jan 11 12:10:56 charon 10[ENC] <60> could not decrypt payloads Jan 11 12:10:56 charon 10[IKE] <60> message parsing failed Jan 11 12:10:56 charon 10[ENC] <60> generating INFORMATIONAL_V1 request 1533072011 [ HASH N(PLD_MAL) ] Jan 11 12:10:56 charon 10[NET] <60> sending packet: from 2YYY:800:637a:b7a0:UUUU:UUUU:UUUU:UUUU[500] to 2XXX:ee0:4f3b:62bb:VVVV:VVVV:VVVV:VVVV[500] (76 bytes) Jan 11 12:10:56 charon 10[IKE] <60> ID_PROT request with message ID 0 processing failed
-
It's a known issue. At the moment it's hardcoded to only look for A records in that role: https://redmine.pfsense.org/issues/9405
-
@jimp Thanks. I'm glad hearing that it is known and somebody is working on it. Can't wait for pfSense v2.5.