Ipsec ikev2

maverick_slo

Hi!

Created IKEv2 tunnel for IPv4 and it works fine.
Added IPv6 tunnel and traffic doesn`t flow.
Rules are added allow any to any ipv6 on ipsec iface.

Ive read somwhere that iupv4 and ipv6 P2 dont play nicely together is that true?
Should I create native IPv6 P1 and then add ipv6 P2?

Thanks!

jimp

With IKEv2 you can have a P2 for IPv4 and a P2 for IPv6. I've run such a config in the lab successfully without any problems.

With IKEv1 you can only have P2s that match the "outer" traffic (e.g. P1 uses IPv4 to establish the tunnel, P2 must use only IPv4), but IKEv2 can carry both.

maverick_slo

Hmmm.
Ipv4 tunnel works for me, but Ipv6 does not.
Rules are added, ipsec was restarted. Tracert shows traffic to go to pfsense and then it stops.

? :)

maverick_slo

Hmmm just found this on 2.2.6 box:
kernel: ip6_output (ipsec): error code 47

This error does not appear on 2.3

jimp

Not sure, lots of other places your setup could have gone wrong with IPv6. All I know is that it works here when I tried it last. P2 established and traffic v6 was passing over the tunnel, so it's not likely to be a general IPv6+IPsec problem, but something more specific to your local network settings.

maverick_slo

I know it`s old but still:
https://www.google.si/?gws_rd=ssl#q=kernel:+ip6_output+(ipsec):+error+code+47

BTW my IPv6 is configured just fine :)

maverick_slo

And this: http://lists.freebsd.org/pipermail/freebsd-net/2013-February/034653.html
If I create IPv6 tunnel it works just fine, like IPv4…

jimp

Not sure what to tell you other than to double check your work. It works fine here with IPv4 and IPv6 in a single IKEv2 tunnel:

[2.3-BETA][root@jack.dw.example.com]/root: ping -c 4 -S 192.168.43.1 10.7.0.1
PING 10.7.0.1 (10.7.0.1) from 192.168.43.1: 56 data bytes
64 bytes from 10.7.0.1: icmp_seq=0 ttl=64 time=0.855 ms
64 bytes from 10.7.0.1: icmp_seq=1 ttl=64 time=0.585 ms
64 bytes from 10.7.0.1: icmp_seq=2 ttl=64 time=0.673 ms
64 bytes from 10.7.0.1: icmp_seq=3 ttl=64 time=0.861 ms

--- 10.7.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.585/0.744/0.861/0.119 ms
[2.3-BETA][root@jack.dw.example.com]/root: ping6 -c 4 -S 2001:db8:1:eec0:20d:b9ff:fe33:f72 2001:db8:1:deb0::1
PING6(56=40+8+8 bytes) 2001:db8:1:eec0:20d:b9ff:fe33:f72 --> 2001:db8:1:deb0::1
16 bytes from 2001:db8:1:deb0::1, icmp_seq=0 hlim=64 time=1.439 ms
16 bytes from 2001:db8:1:deb0::1, icmp_seq=1 hlim=64 time=0.943 ms
16 bytes from 2001:db8:1:deb0::1, icmp_seq=2 hlim=64 time=0.956 ms
16 bytes from 2001:db8:1:deb0::1, icmp_seq=3 hlim=64 time=0.839 ms

--- 2001:db8:1:deb0::1 ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.839/1.044/1.439/0.232 ms

: tcpdump -vvvni enc0 
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 65535 bytes
15:58:55.496876 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 45404, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 0, length 64
15:58:55.496993 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 63546, offset 0, flags [none], proto ICMP (1), length 84, bad cksum d39b (->8cbd)!)
    10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 0, length 64
15:58:56.498392 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 38240, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 1, length 64
15:58:56.498436 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 38618, offset 0, flags [none], proto ICMP (1), length 84, bad cksum ef97 (->ee1d)!)
    10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 1, length 64
15:58:57.557724 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 28035, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 2, length 64
15:58:57.557766 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 41042, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 1775 (->e4a5)!)
    10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 2, length 64
15:58:58.563872 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 43514, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 3, length 64
15:58:58.563914 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 32701, offset 0, flags [none], proto ICMP (1), length 84, bad cksum dafd (->53b)!)
    10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 3, length 64
15:59:01.897952 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 0
15:59:01.898052 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 0
15:59:02.960706 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 1
15:59:02.960760 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 1
15:59:04.014537 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 2
15:59:04.014589 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 2
15:59:05.032436 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 3
15:59:05.032501 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 3

And from "ipsec statusall" for good measure…

Connections:
   bypasslan:  %any...%any  IKEv1/2
   bypasslan:   local:  uses public key authentication
   bypasslan:   remote: uses public key authentication
   bypasslan:   child:  192.168.43.0/24|/0 === 192.168.43.0/24|/0 PASS
        con1:  198.51.100.100...198.51.100.7  IKEv2, dpddelay=10s
        con1:   local:  [198.51.100.100] uses pre-shared key authentication
        con1:   remote: [198.51.100.7] uses pre-shared key authentication
        con1:   child:  192.168.43.0/24|/0 2001:db8:1:eec0::/60|/0 === 10.7.0.0/24|/0 2001:db8:1:deb0::/64|/0 TUNNEL, dpdaction=restart
Shunted Connections:
   bypasslan:  192.168.43.0/24|/0 === 192.168.43.0/24|/0 PASS
Routed Connections:
        con1{3}:  ROUTED, TUNNEL, reqid 1
        con1{3}:   192.168.43.0/24|/0 2001:db8:1:eec0::/60|/0 === 10.7.0.0/24|/0 2001:db8:1:deb0::/64|/0
Security Associations (1 up, 0 connecting):
        con1[1]: ESTABLISHED 5 minutes ago, 198.51.100.100[198.51.100.100]...198.51.100.7[198.51.100.7]
        con1[1]: IKEv2 SPIs: 77b4381031502095_i* 53b145c57a3f7c63_r, pre-shared key reauthentication in 7 hours
        con1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        con1{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c205845b_i c0dbd04f_o
        con1{2}:  AES_CBC_256/HMAC_SHA1_96, 1456 bytes_i, 3680 bytes_o, rekeying in 39 minutes
        con1{2}:   192.168.43.0/24|/0 === 2001:db8:1:deb0::/64|/0

(granted that output looks a little funny, but it is there and working)

 setkey -DP
192.168.43.0/24[any] 192.168.43.0/24[any] any
	in none
	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:32 2016
	lifetime: 9223372036854775807(s) validtime: 0(s)
	spid=8 seq=5 pid=93603
	refcnt=1
10.7.0.0/24[any] 192.168.43.0/24[any] any
	in ipsec
	esp/tunnel/198.51.100.7-198.51.100.100/unique:1
	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:58 2016
	lifetime: 9223372036854775807(s) validtime: 0(s)
	spid=10 seq=4 pid=93603
	refcnt=1
2001:db8:1:deb0::/64[any] 2001:db8:1:eec0::/60[any] any
	in ipsec
	esp/tunnel/198.51.100.7-198.51.100.100/unique:1
	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:59:05 2016
	lifetime: 9223372036854775807(s) validtime: 0(s)
	spid=12 seq=3 pid=93603
	refcnt=1
192.168.43.0/24[any] 192.168.43.0/24[any] any
	out none
	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:32 2016
	lifetime: 9223372036854775807(s) validtime: 0(s)
	spid=7 seq=2 pid=93603
	refcnt=1
192.168.43.0/24[any] 10.7.0.0/24[any] any
	out ipsec
	esp/tunnel/198.51.100.100-198.51.100.7/unique:1
	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:58 2016
	lifetime: 9223372036854775807(s) validtime: 0(s)
	spid=9 seq=1 pid=93603
	refcnt=1
2001:db8:1:eec0::/60[any] 2001:db8:1:deb0::/64[any] any
	out ipsec
	esp/tunnel/198.51.100.100-198.51.100.7/unique:1
	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:59:05 2016
	lifetime: 9223372036854775807(s) validtime: 0(s)
	spid=11 seq=0 pid=93603
	refcnt=1

maverick_slo

Hmmmm… OK
Do you have any recommendations where to start looking?
I added firewall rules on IPSEC interfaces on both sides and set them to allow any any IPv6 for test purposes.
I do not block IPv6 anywhere.

Wireshark shows this on local ipsec iface when I ping:

22:07:05.969317 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 45
22:07:10.676559 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 46
22:07:15.675531 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 47

And each ping from 2.3 network to 2.2.6 network produces above (kernel: ip6_output (ipsec): error code 47) error on 2.2.6 system.
So traffic comes to 2.2.6 and there it stops or something ?

Thanks!

jimp

Not sure there. I had that same tunnel I showed above working between 2.2.5 and 2.3 before upgrading the older system to 2.3. I don't have an active one that goes between 2.2.6 and 2.3 to test at the moment. I tested both because for a while we prevented both from being configured. I made sure it worked before relaxing the input validation.

https://redmine.pfsense.org/issues/5305
https://doc.pfsense.org/index.php/2.2.5_New_Features_and_Changes#IPsec

maverick_slo

As I suspected there is a problem with 2.2.6 and IKEv2 P2.

It does not work, at least 32-bit is not working with ipv4 and ipv6 both inside one P1.

I upgraded 2.2.6 to 2.3 and IPv6 tunnel inside IPv4 P1 is working just fine.

jimp

It's possible it's specific to 32-bit but I'm not sure how. Either way, if it works on 2.3 there is nothing to fix currently. If we do another 2.2.x release it will only be a security release and wouldn't be used to address something like this.

maverick_slo

Yeah, but I cant help myself, I like to know when Im wrong and this time my config checked out just fine :)