Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to use IPv4-mapped IPv6 address for mobile IPsec DNS

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 259 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 612brokeaf6
      612brokeaf @jimp
      last edited by 612brokeaf

      @jimp Here it goes:

      # This file is automatically generated. Do not edit
connections {
	bypass {
		remote_addrs = 127.0.0.1
	}
	con-mobile : con-mobile-defaults {
		# Stub to load con-mobile-defaults
	}
	con4000 {
		fragmentation = yes
		unique = replace
		version = 2
		proposals = aes256-sha256-ecp256
		dpd_delay = 10s
		dpd_timeout = 60s
		rekey_time = 3240s
		reauth_time = 0s
		over_time = 360s
		rand_time = 360s
		encap = no
		mobike = yes
		local_addrs = n.n.n.n
		remote_addrs = f.q.d.n.com
		pools = 
		local {
			id = n.n.n.n
			auth = psk
		}
		remote {
			id = z.z.z.z
			auth = psk
		}
		children {
			con4000 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 7200s
				rekey_time = 6480s
				rand_time = 720s
				start_action = trap
				remote_ts = a.a.a.a
				local_ts = b.b.b.b
				esp_proposals = aes256-sha256-ecp256
			}
		}
	}
	con5000 {
		fragmentation = yes
		unique = replace
		version = 2
		proposals = aes256-sha256-ecp256
		dpd_delay = 10s
		dpd_timeout = 60s
		rekey_time = 3240s
		reauth_time = 0s
		over_time = 360s
		rand_time = 360s
		encap = no
		mobike = yes
		local_addrs = ::something:1
		remote_addrs = ::somethingelse:1
		pools = 
		local {
			id = ::something:1
			auth = psk
		}
		remote {
			id = ::somethingelse:1
			auth = psk
		}
		children {
			con5000 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 3600s
				rekey_time = 3240s
				rand_time = 360s
				start_action = trap
				remote_ts = F::something:1
				local_ts = F::something:2
				esp_proposals = aes256-sha256-ecp256
			}
		}
	}
	con2000 {
		fragmentation = yes
		unique = replace
		version = 2
		proposals = aes256-sha256-ecp256
		dpd_delay = 10s
		dpd_timeout = 60s
		rekey_time = 3240s
		reauth_time = 0s
		over_time = 360s
		rand_time = 360s
		encap = no
		mobike = yes
		local_addrs = n.n.n.n
		remote_addrs = f.q.d.n.com
		pools = 
		local {
			id = n.n.n.n
			auth = psk
		}
		remote {
			id = z.z.z.z
			auth = psk
		}
		children {
			con2000 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 7200s
				rekey_time = 6480s
				rand_time = 720s
				start_action = trap
				remote_ts = a.b.c.d
				local_ts = e.f.g.h
				esp_proposals = aes256-sha256-ecp256
			}
		}
	}
	con6000 {
		fragmentation = yes
		unique = replace
		version = 2
		proposals = aes256-sha256-ecp256
		dpd_delay = 10s
		dpd_timeout = 60s
		rekey_time = 3240s
		reauth_time = 0s
		over_time = 360s
		rand_time = 360s
		encap = no
		mobike = yes
		local_addrs = ::something:1
		remote_addrs = f.q.d.n.6.com
		pools = 
		local {
			id = ::something:1
			auth = psk
		}
		remote {
			id = ::something:2
			auth = psk
		}
		children {
			con6000 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 7200s
				rekey_time = 6480s
				rand_time = 720s
				start_action = trap
				remote_ts = F::something:1
				local_ts = F::something:1
				esp_proposals = aes256-sha256-ecp256
			}
		}
	}
	con300000 {
		fragmentation = yes
		unique = replace
		version = 1
		aggressive = no
		proposals = aes256-sha256-ecp256
		dpd_delay = 10s
		dpd_timeout = 60s
		reauth_time = 3240s
		over_time = 360s
		rand_time = 360s
		encap = no
		mobike = yes
		local_addrs = n.n.n.n
		remote_addrs = f.q.d.n.com
		pools = 
		local {
			id = n.n.n.n
			auth = psk
		}
		remote {
			id = z.z.z.z
			auth = psk
		}
		children {
			con0 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 7200s
				rekey_time = 6480s
				rand_time = 720s
				start_action = trap
				local_ts = a.b.c.1
				remote_ts = a.b.c.2
				esp_proposals = aes256-sha256-ecp256
			}
		}
	}
}
con-mobile-defaults {
	fragmentation = yes
	unique = replace
	version = 2
	proposals = aes256-sha384-modp2048
	dpd_delay = 10s
	dpd_timeout = 60s
	rekey_time = 0s
	reauth_time = 0s
	over_time = 180s
	rand_time = 180s
	encap = yes
	mobike = yes
	local_addrs = a.a.a.a,::something:1
	remote_addrs = 0.0.0.0/0,::/0
	pools = mobile-pool-v4, mobile-pool-v6
	send_cert = always
	local {
		id = fqdn:something.com
		auth = pubkey
		cert {
			file = /var/etc/ipsec/x509/cert-1.crt
		}
	}
	remote {
		eap_id = %any
		auth = eap-mschapv2
	}
	children {
		con-mobile {
			dpd_action = clear
			mode = tunnel
			policies = yes
			life_time = 3600s
			rekey_time = 3240s
			rand_time = 360s
			start_action = none
			local_ts = 0.0.0.0/0,::/0
			esp_proposals = aes256gcm128-ecp384
		}
	}
}
pools {
	mobile-pool-v4 : mobile-pool {
		addrs = a.b.c.0/24
	}
	mobile-pool-v6 : mobile-pool {
		addrs = ::something:0/112
	}
}
mobile-pool {
	dns = a.b.c.d,f::something:a.b.c.d
}
secrets {
	private-0 {
		file = /var/etc/ipsec/private/cert-1.key
	}
	ike-1 {
		secret = parsnips grow here
		id-0 = %any
		id-1 = z.z.z.z
	}
	ike-2 {
		secret = parsnips grow here
		id-0 = %any
		id-1 = ::something:2
	}
	ike-3 {
		secret = parsnips grow here
		id-0 = %any
		id-1 = n.n.n.n
	}
	ike-4 {
		secret = parsnips grow here
		id-0 = %any
		id-1 = ::something:3
	}
	ike-5 {
		secret = parsnips grow here
		id-0 = %any
		id-1 = f.f.f.f
	}
	eap-6 {
		secret = parsnips grow here
		id-0 = uid@domain.tld
	}
	eap-7 {
		secret = parsnips grow here
		id-0 = uid2@domain.tld
	}

      Looks pretty much the same as on 2.4.5 bar formatting, maybe I'm missing something important. But it seems like the issue is somewhere else as in it fails to load this completely.

      ...yeah, I noticed the switch to vici now. So I take it you have a PHP client for vici? Or do you load stuff with swanctl?

      612brokeaf6 1 Reply Last reply Reply Quote 0
      • 612brokeaf6
        612brokeaf @612brokeaf
        last edited by

        OK, getting warmer...

        swanctl --load-all --file /var/etc/ipsec/swanctl.conf
loaded certificate from '/var/etc/ipsec/x509/cert-1.crt'
loaded certificate from '/var/etc/ipsec/x509ca/8d33f237.0'
loaded RSA key from '/var/etc/ipsec/private/cert-1.key'
loaded ike secret 'ike-1'
loaded ike secret 'ike-2'
loaded ike secret 'ike-3'
loaded ike secret 'ike-4'
loaded ike secret 'ike-5'
loaded eap secret 'eap-6'
loaded eap secret 'eap-7'
no authorities found, 0 unloaded
loading pool 'mobile-pool-v4' failed: invalid attribute value for dns
loading pool 'mobile-pool-v6' failed: invalid attribute value for dns
loaded 0 of 2 pools, 2 failed to load, 0 unloaded
        612brokeaf6 1 Reply Last reply Reply Quote 0
        • 612brokeaf6
          612brokeaf @612brokeaf
          last edited by 612brokeaf

          my DNS entry looked like this:

          mobile-pool {                                                                                                                               
        dns = 1.2.3.4,fXXX::1.2.3.4
}

          In other words, one IPv4 address and one IPV4-mapped IPV6 address, I do this all the time. It started to work after I left the IPv4 only. I'll try a regular IPv6.

          Edit: Confirmed: changing the IPv4 mapped IPv6 address to a standard IPv6 address in DNS fixed it.

          What is a bit of a shame is that I can't see the actual swanctl error in the logs as it tries to load the config file - unless I wasn't looking in the right log.

          1 Reply Last reply Reply Quote 0
          • 612brokeaf6
            612brokeaf @jimp
            last edited by

            @jimp Jim - as always, thanks for pointing me in the right direction, and apologies for me reading some of your responses too quickly; I must be getting old and not as sharp as I used to be ;)

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              I split this off into its own thread.

              Are you certain this worked on previous versions? It may have been silently rejected / not sent to clients.

              I can reproduce the config parsing problem here but I can't find any info in strongSwan about that being allowed. It may have been accepted by the old ipsec.conf config parser and now rejected by the swanctl parser.

              I also don't see it mentioned in the IKEv2 config payload RFC that it would be allowed.

              If nothing else we could add input validation to reject entering those values since they are now known not to work.

              I opened https://redmine.pfsense.org/issues/11446 to fix the validation.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.