Ipsec ikev2
-
Hi!
Created IKEv2 tunnel for IPv4 and it works fine.
Added IPv6 tunnel and traffic doesn`t flow.
Rules are added allow any to any ipv6 on ipsec iface.I
ve read somwhere that iupv4 and ipv6 P2 don
t play nicely together is that true?
Should I create native IPv6 P1 and then add ipv6 P2?Thanks!
-
With IKEv2 you can have a P2 for IPv4 and a P2 for IPv6. I've run such a config in the lab successfully without any problems.
With IKEv1 you can only have P2s that match the "outer" traffic (e.g. P1 uses IPv4 to establish the tunnel, P2 must use only IPv4), but IKEv2 can carry both.
-
Hmmm.
Ipv4 tunnel works for me, but Ipv6 does not.
Rules are added, ipsec was restarted. Tracert shows traffic to go to pfsense and then it stops.? :)
-
Hmmm just found this on 2.2.6 box:
kernel: ip6_output (ipsec): error code 47This error does not appear on 2.3
-
Not sure, lots of other places your setup could have gone wrong with IPv6. All I know is that it works here when I tried it last. P2 established and traffic v6 was passing over the tunnel, so it's not likely to be a general IPv6+IPsec problem, but something more specific to your local network settings.
-
I know it`s old but still:
https://www.google.si/?gws_rd=ssl#q=kernel:+ip6_output+%28ipsec%29:+error+code+47BTW my IPv6 is configured just fine :)
-
And this: http://lists.freebsd.org/pipermail/freebsd-net/2013-February/034653.html
If I create IPv6 tunnel it works just fine, like IPv4… -
Not sure what to tell you other than to double check your work. It works fine here with IPv4 and IPv6 in a single IKEv2 tunnel:
[2.3-BETA][root@jack.dw.example.com]/root: ping -c 4 -S 192.168.43.1 10.7.0.1 PING 10.7.0.1 (10.7.0.1) from 192.168.43.1: 56 data bytes 64 bytes from 10.7.0.1: icmp_seq=0 ttl=64 time=0.855 ms 64 bytes from 10.7.0.1: icmp_seq=1 ttl=64 time=0.585 ms 64 bytes from 10.7.0.1: icmp_seq=2 ttl=64 time=0.673 ms 64 bytes from 10.7.0.1: icmp_seq=3 ttl=64 time=0.861 ms --- 10.7.0.1 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.585/0.744/0.861/0.119 ms [2.3-BETA][root@jack.dw.example.com]/root: ping6 -c 4 -S 2001:db8:1:eec0:20d:b9ff:fe33:f72 2001:db8:1:deb0::1 PING6(56=40+8+8 bytes) 2001:db8:1:eec0:20d:b9ff:fe33:f72 --> 2001:db8:1:deb0::1 16 bytes from 2001:db8:1:deb0::1, icmp_seq=0 hlim=64 time=1.439 ms 16 bytes from 2001:db8:1:deb0::1, icmp_seq=1 hlim=64 time=0.943 ms 16 bytes from 2001:db8:1:deb0::1, icmp_seq=2 hlim=64 time=0.956 ms 16 bytes from 2001:db8:1:deb0::1, icmp_seq=3 hlim=64 time=0.839 ms --- 2001:db8:1:deb0::1 ping6 statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.839/1.044/1.439/0.232 ms
: tcpdump -vvvni enc0 tcpdump: WARNING: enc0: no IPv4 address assigned tcpdump: listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 65535 bytes 15:58:55.496876 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 45404, offset 0, flags [none], proto ICMP (1), length 84) 192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 0, length 64 15:58:55.496993 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 63546, offset 0, flags [none], proto ICMP (1), length 84, bad cksum d39b (->8cbd)!) 10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 0, length 64 15:58:56.498392 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 38240, offset 0, flags [none], proto ICMP (1), length 84) 192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 1, length 64 15:58:56.498436 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 38618, offset 0, flags [none], proto ICMP (1), length 84, bad cksum ef97 (->ee1d)!) 10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 1, length 64 15:58:57.557724 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 28035, offset 0, flags [none], proto ICMP (1), length 84) 192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 2, length 64 15:58:57.557766 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 41042, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 1775 (->e4a5)!) 10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 2, length 64 15:58:58.563872 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 43514, offset 0, flags [none], proto ICMP (1), length 84) 192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 3, length 64 15:58:58.563914 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 32701, offset 0, flags [none], proto ICMP (1), length 84, bad cksum dafd (->53b)!) 10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 3, length 64 15:59:01.897952 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 0 15:59:01.898052 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 0 15:59:02.960706 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 1 15:59:02.960760 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 1 15:59:04.014537 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 2 15:59:04.014589 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 2 15:59:05.032436 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 3 15:59:05.032501 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 3
And from "ipsec statusall" for good measure…
Connections: bypasslan: %any...%any IKEv1/2 bypasslan: local: uses public key authentication bypasslan: remote: uses public key authentication bypasslan: child: 192.168.43.0/24|/0 === 192.168.43.0/24|/0 PASS con1: 198.51.100.100...198.51.100.7 IKEv2, dpddelay=10s con1: local: [198.51.100.100] uses pre-shared key authentication con1: remote: [198.51.100.7] uses pre-shared key authentication con1: child: 192.168.43.0/24|/0 2001:db8:1:eec0::/60|/0 === 10.7.0.0/24|/0 2001:db8:1:deb0::/64|/0 TUNNEL, dpdaction=restart Shunted Connections: bypasslan: 192.168.43.0/24|/0 === 192.168.43.0/24|/0 PASS Routed Connections: con1{3}: ROUTED, TUNNEL, reqid 1 con1{3}: 192.168.43.0/24|/0 2001:db8:1:eec0::/60|/0 === 10.7.0.0/24|/0 2001:db8:1:deb0::/64|/0 Security Associations (1 up, 0 connecting): con1[1]: ESTABLISHED 5 minutes ago, 198.51.100.100[198.51.100.100]...198.51.100.7[198.51.100.7] con1[1]: IKEv2 SPIs: 77b4381031502095_i* 53b145c57a3f7c63_r, pre-shared key reauthentication in 7 hours con1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 con1{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c205845b_i c0dbd04f_o con1{2}: AES_CBC_256/HMAC_SHA1_96, 1456 bytes_i, 3680 bytes_o, rekeying in 39 minutes con1{2}: 192.168.43.0/24|/0 === 2001:db8:1:deb0::/64|/0
(granted that output looks a little funny, but it is there and working)
setkey -DP 192.168.43.0/24[any] 192.168.43.0/24[any] any in none created: Feb 1 15:58:32 2016 lastused: Feb 1 15:58:32 2016 lifetime: 9223372036854775807(s) validtime: 0(s) spid=8 seq=5 pid=93603 refcnt=1 10.7.0.0/24[any] 192.168.43.0/24[any] any in ipsec esp/tunnel/198.51.100.7-198.51.100.100/unique:1 created: Feb 1 15:58:32 2016 lastused: Feb 1 15:58:58 2016 lifetime: 9223372036854775807(s) validtime: 0(s) spid=10 seq=4 pid=93603 refcnt=1 2001:db8:1:deb0::/64[any] 2001:db8:1:eec0::/60[any] any in ipsec esp/tunnel/198.51.100.7-198.51.100.100/unique:1 created: Feb 1 15:58:32 2016 lastused: Feb 1 15:59:05 2016 lifetime: 9223372036854775807(s) validtime: 0(s) spid=12 seq=3 pid=93603 refcnt=1 192.168.43.0/24[any] 192.168.43.0/24[any] any out none created: Feb 1 15:58:32 2016 lastused: Feb 1 15:58:32 2016 lifetime: 9223372036854775807(s) validtime: 0(s) spid=7 seq=2 pid=93603 refcnt=1 192.168.43.0/24[any] 10.7.0.0/24[any] any out ipsec esp/tunnel/198.51.100.100-198.51.100.7/unique:1 created: Feb 1 15:58:32 2016 lastused: Feb 1 15:58:58 2016 lifetime: 9223372036854775807(s) validtime: 0(s) spid=9 seq=1 pid=93603 refcnt=1 2001:db8:1:eec0::/60[any] 2001:db8:1:deb0::/64[any] any out ipsec esp/tunnel/198.51.100.100-198.51.100.7/unique:1 created: Feb 1 15:58:32 2016 lastused: Feb 1 15:59:05 2016 lifetime: 9223372036854775807(s) validtime: 0(s) spid=11 seq=0 pid=93603 refcnt=1
-
Hmmmm… OK
Do you have any recommendations where to start looking?
I added firewall rules on IPSEC interfaces on both sides and set them to allow any any IPv6 for test purposes.
I do not block IPv6 anywhere.Wireshark shows this on local ipsec iface when I ping:
22:07:05.969317 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 45 22:07:10.676559 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 46 22:07:15.675531 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 47
And each ping from 2.3 network to 2.2.6 network produces above (kernel: ip6_output (ipsec): error code 47) error on 2.2.6 system.
So traffic comes to 2.2.6 and there it stops or something ?Thanks!
-
Not sure there. I had that same tunnel I showed above working between 2.2.5 and 2.3 before upgrading the older system to 2.3. I don't have an active one that goes between 2.2.6 and 2.3 to test at the moment. I tested both because for a while we prevented both from being configured. I made sure it worked before relaxing the input validation.
https://redmine.pfsense.org/issues/5305
https://doc.pfsense.org/index.php/2.2.5_New_Features_and_Changes#IPsec -
As I suspected there is a problem with 2.2.6 and IKEv2 P2.
It does not work, at least 32-bit is not working with ipv4 and ipv6 both inside one P1.
I upgraded 2.2.6 to 2.3 and IPv6 tunnel inside IPv4 P1 is working just fine.
-
It's possible it's specific to 32-bit but I'm not sure how. Either way, if it works on 2.3 there is nothing to fix currently. If we do another 2.2.x release it will only be a security release and wouldn't be used to address something like this.
-
Yeah, but I can
t help myself, I like to know when I
m wrong and this time my config checked out just fine :)