Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec ikev2

    Scheduled Pinned Locked Moved 2.3-RC Snapshot Feedback and Issues - ARCHIVED
    13 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maverick_slo
      last edited by

      Hi!

      Created IKEv2 tunnel for IPv4 and it works fine.
      Added IPv6 tunnel and traffic doesn`t flow.
      Rules are added allow any to any ipv6 on ipsec iface.

      Ive read somwhere that iupv4 and ipv6 P2 dont play nicely together is that true?
      Should I create native IPv6 P1 and then add ipv6 P2?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        With IKEv2 you can have a P2 for IPv4 and a P2 for IPv6. I've run such a config in the lab successfully without any problems.

        With IKEv1 you can only have P2s that match the "outer" traffic (e.g. P1 uses IPv4 to establish the tunnel, P2 must use only IPv4), but IKEv2 can carry both.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          maverick_slo
          last edited by

          Hmmm.
          Ipv4 tunnel works for me, but Ipv6 does not.
          Rules are added, ipsec was restarted. Tracert shows traffic to go to pfsense and then it stops.

          ? :)

          1 Reply Last reply Reply Quote 0
          • M
            maverick_slo
            last edited by

            Hmmm just found this on 2.2.6 box:
            kernel: ip6_output (ipsec): error code 47

            This error does not appear on 2.3

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Not sure, lots of other places your setup could have gone wrong with IPv6. All I know is that it works here when I tried it last. P2 established and traffic v6 was passing over the tunnel, so it's not likely to be a general IPv6+IPsec problem, but something more specific to your local network settings.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • M
                maverick_slo
                last edited by

                I know it`s old but still:
                https://www.google.si/?gws_rd=ssl#q=kernel:+ip6_output+%28ipsec%29:+error+code+47

                BTW my IPv6 is configured just fine :)

                1 Reply Last reply Reply Quote 0
                • M
                  maverick_slo
                  last edited by

                  And this: http://lists.freebsd.org/pipermail/freebsd-net/2013-February/034653.html
                  If I create IPv6 tunnel it works just fine, like IPv4…

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Not sure what to tell you other than to double check your work. It works fine here with IPv4 and IPv6 in a single IKEv2 tunnel:

                    [2.3-BETA][root@jack.dw.example.com]/root: ping -c 4 -S 192.168.43.1 10.7.0.1
                    PING 10.7.0.1 (10.7.0.1) from 192.168.43.1: 56 data bytes
                    64 bytes from 10.7.0.1: icmp_seq=0 ttl=64 time=0.855 ms
                    64 bytes from 10.7.0.1: icmp_seq=1 ttl=64 time=0.585 ms
                    64 bytes from 10.7.0.1: icmp_seq=2 ttl=64 time=0.673 ms
                    64 bytes from 10.7.0.1: icmp_seq=3 ttl=64 time=0.861 ms
                    
                    --- 10.7.0.1 ping statistics ---
                    4 packets transmitted, 4 packets received, 0.0% packet loss
                    round-trip min/avg/max/stddev = 0.585/0.744/0.861/0.119 ms
                    [2.3-BETA][root@jack.dw.example.com]/root: ping6 -c 4 -S 2001:db8:1:eec0:20d:b9ff:fe33:f72 2001:db8:1:deb0::1
                    PING6(56=40+8+8 bytes) 2001:db8:1:eec0:20d:b9ff:fe33:f72 --> 2001:db8:1:deb0::1
                    16 bytes from 2001:db8:1:deb0::1, icmp_seq=0 hlim=64 time=1.439 ms
                    16 bytes from 2001:db8:1:deb0::1, icmp_seq=1 hlim=64 time=0.943 ms
                    16 bytes from 2001:db8:1:deb0::1, icmp_seq=2 hlim=64 time=0.956 ms
                    16 bytes from 2001:db8:1:deb0::1, icmp_seq=3 hlim=64 time=0.839 ms
                    
                    --- 2001:db8:1:deb0::1 ping6 statistics ---
                    4 packets transmitted, 4 packets received, 0.0% packet loss
                    round-trip min/avg/max/std-dev = 0.839/1.044/1.439/0.232 ms
                    
                    
                    : tcpdump -vvvni enc0 
                    tcpdump: WARNING: enc0: no IPv4 address assigned
                    tcpdump: listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 65535 bytes
                    15:58:55.496876 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 45404, offset 0, flags [none], proto ICMP (1), length 84)
                        192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 0, length 64
                    15:58:55.496993 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 63546, offset 0, flags [none], proto ICMP (1), length 84, bad cksum d39b (->8cbd)!)
                        10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 0, length 64
                    15:58:56.498392 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 38240, offset 0, flags [none], proto ICMP (1), length 84)
                        192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 1, length 64
                    15:58:56.498436 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 38618, offset 0, flags [none], proto ICMP (1), length 84, bad cksum ef97 (->ee1d)!)
                        10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 1, length 64
                    15:58:57.557724 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 28035, offset 0, flags [none], proto ICMP (1), length 84)
                        192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 2, length 64
                    15:58:57.557766 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 41042, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 1775 (->e4a5)!)
                        10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 2, length 64
                    15:58:58.563872 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 43514, offset 0, flags [none], proto ICMP (1), length 84)
                        192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 3, length 64
                    15:58:58.563914 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 32701, offset 0, flags [none], proto ICMP (1), length 84, bad cksum dafd (->53b)!)
                        10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 3, length 64
                    15:59:01.897952 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 0
                    15:59:01.898052 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 0
                    15:59:02.960706 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 1
                    15:59:02.960760 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 1
                    15:59:04.014537 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 2
                    15:59:04.014589 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 2
                    15:59:05.032436 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 3
                    15:59:05.032501 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 3
                    
                    

                    And from "ipsec statusall" for good measure…

                    Connections:
                       bypasslan:  %any...%any  IKEv1/2
                       bypasslan:   local:  uses public key authentication
                       bypasslan:   remote: uses public key authentication
                       bypasslan:   child:  192.168.43.0/24|/0 === 192.168.43.0/24|/0 PASS
                            con1:  198.51.100.100...198.51.100.7  IKEv2, dpddelay=10s
                            con1:   local:  [198.51.100.100] uses pre-shared key authentication
                            con1:   remote: [198.51.100.7] uses pre-shared key authentication
                            con1:   child:  192.168.43.0/24|/0 2001:db8:1:eec0::/60|/0 === 10.7.0.0/24|/0 2001:db8:1:deb0::/64|/0 TUNNEL, dpdaction=restart
                    Shunted Connections:
                       bypasslan:  192.168.43.0/24|/0 === 192.168.43.0/24|/0 PASS
                    Routed Connections:
                            con1{3}:  ROUTED, TUNNEL, reqid 1
                            con1{3}:   192.168.43.0/24|/0 2001:db8:1:eec0::/60|/0 === 10.7.0.0/24|/0 2001:db8:1:deb0::/64|/0
                    Security Associations (1 up, 0 connecting):
                            con1[1]: ESTABLISHED 5 minutes ago, 198.51.100.100[198.51.100.100]...198.51.100.7[198.51.100.7]
                            con1[1]: IKEv2 SPIs: 77b4381031502095_i* 53b145c57a3f7c63_r, pre-shared key reauthentication in 7 hours
                            con1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                            con1{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c205845b_i c0dbd04f_o
                            con1{2}:  AES_CBC_256/HMAC_SHA1_96, 1456 bytes_i, 3680 bytes_o, rekeying in 39 minutes
                            con1{2}:   192.168.43.0/24|/0 === 2001:db8:1:deb0::/64|/0
                    
                    

                    (granted that output looks a little funny, but it is there and working)

                     setkey -DP
                    192.168.43.0/24[any] 192.168.43.0/24[any] any
                    	in none
                    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:32 2016
                    	lifetime: 9223372036854775807(s) validtime: 0(s)
                    	spid=8 seq=5 pid=93603
                    	refcnt=1
                    10.7.0.0/24[any] 192.168.43.0/24[any] any
                    	in ipsec
                    	esp/tunnel/198.51.100.7-198.51.100.100/unique:1
                    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:58 2016
                    	lifetime: 9223372036854775807(s) validtime: 0(s)
                    	spid=10 seq=4 pid=93603
                    	refcnt=1
                    2001:db8:1:deb0::/64[any] 2001:db8:1:eec0::/60[any] any
                    	in ipsec
                    	esp/tunnel/198.51.100.7-198.51.100.100/unique:1
                    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:59:05 2016
                    	lifetime: 9223372036854775807(s) validtime: 0(s)
                    	spid=12 seq=3 pid=93603
                    	refcnt=1
                    192.168.43.0/24[any] 192.168.43.0/24[any] any
                    	out none
                    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:32 2016
                    	lifetime: 9223372036854775807(s) validtime: 0(s)
                    	spid=7 seq=2 pid=93603
                    	refcnt=1
                    192.168.43.0/24[any] 10.7.0.0/24[any] any
                    	out ipsec
                    	esp/tunnel/198.51.100.100-198.51.100.7/unique:1
                    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:58 2016
                    	lifetime: 9223372036854775807(s) validtime: 0(s)
                    	spid=9 seq=1 pid=93603
                    	refcnt=1
                    2001:db8:1:eec0::/60[any] 2001:db8:1:deb0::/64[any] any
                    	out ipsec
                    	esp/tunnel/198.51.100.100-198.51.100.7/unique:1
                    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:59:05 2016
                    	lifetime: 9223372036854775807(s) validtime: 0(s)
                    	spid=11 seq=0 pid=93603
                    	refcnt=1
                    
                    

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • M
                      maverick_slo
                      last edited by

                      Hmmmm… OK
                      Do you have any recommendations where to start looking?
                      I added firewall rules on IPSEC interfaces on both sides and set them to allow any any IPv6 for test purposes.
                      I do not block IPv6 anywhere.

                      Wireshark shows this on local ipsec iface when I ping:

                      
                      22:07:05.969317 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 45
                      22:07:10.676559 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 46
                      22:07:15.675531 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 47
                      
                      

                      And each ping from 2.3 network to 2.2.6 network produces above (kernel: ip6_output (ipsec): error code 47) error on 2.2.6 system.
                      So traffic comes to 2.2.6 and there it stops or something ?

                      Thanks!

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Not sure there. I had that same tunnel I showed above working between 2.2.5 and 2.3 before upgrading the older system to 2.3. I don't have an active one that goes between 2.2.6 and 2.3 to test at the moment. I tested both because for a while we prevented both from being configured. I made sure it worked before relaxing the input validation.

                        https://redmine.pfsense.org/issues/5305
                        https://doc.pfsense.org/index.php/2.2.5_New_Features_and_Changes#IPsec

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • M
                          maverick_slo
                          last edited by

                          As I suspected there is a problem with 2.2.6 and IKEv2 P2.

                          It does not work, at least 32-bit is not working with ipv4 and ipv6 both inside one P1.

                          I upgraded 2.2.6 to 2.3 and IPv6 tunnel inside IPv4 P1 is working just fine.

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            It's possible it's specific to 32-bit but I'm not sure how. Either way, if it works on 2.3 there is nothing to fix currently. If we do another 2.2.x release it will only be a security release and wouldn't be used to address something like this.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • M
                              maverick_slo
                              last edited by

                              Yeah, but I cant help myself, I like to know when Im wrong and this time my config checked out just fine :)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.