Ipsec ikev2



  • Hi!

    Created IKEv2 tunnel for IPv4 and it works fine.
    Added IPv6 tunnel and traffic doesn`t flow.
    Rules are added allow any to any ipv6 on ipsec iface.

    Ive read somwhere that iupv4 and ipv6 P2 dont play nicely together is that true?
    Should I create native IPv6 P1 and then add ipv6 P2?

    Thanks!


  • Rebel Alliance Developer Netgate

    With IKEv2 you can have a P2 for IPv4 and a P2 for IPv6. I've run such a config in the lab successfully without any problems.

    With IKEv1 you can only have P2s that match the "outer" traffic (e.g. P1 uses IPv4 to establish the tunnel, P2 must use only IPv4), but IKEv2 can carry both.



  • Hmmm.
    Ipv4 tunnel works for me, but Ipv6 does not.
    Rules are added, ipsec was restarted. Tracert shows traffic to go to pfsense and then it stops.

    ? :)



  • Hmmm just found this on 2.2.6 box:
    kernel: ip6_output (ipsec): error code 47

    This error does not appear on 2.3


  • Rebel Alliance Developer Netgate

    Not sure, lots of other places your setup could have gone wrong with IPv6. All I know is that it works here when I tried it last. P2 established and traffic v6 was passing over the tunnel, so it's not likely to be a general IPv6+IPsec problem, but something more specific to your local network settings.



  • I know it`s old but still:
    https://www.google.si/?gws_rd=ssl#q=kernel:+ip6_output+(ipsec):+error+code+47

    BTW my IPv6 is configured just fine :)



  • And this: http://lists.freebsd.org/pipermail/freebsd-net/2013-February/034653.html
    If I create IPv6 tunnel it works just fine, like IPv4…


  • Rebel Alliance Developer Netgate

    Not sure what to tell you other than to double check your work. It works fine here with IPv4 and IPv6 in a single IKEv2 tunnel:

    [2.3-BETA][root@jack.dw.example.com]/root: ping -c 4 -S 192.168.43.1 10.7.0.1
    PING 10.7.0.1 (10.7.0.1) from 192.168.43.1: 56 data bytes
    64 bytes from 10.7.0.1: icmp_seq=0 ttl=64 time=0.855 ms
    64 bytes from 10.7.0.1: icmp_seq=1 ttl=64 time=0.585 ms
    64 bytes from 10.7.0.1: icmp_seq=2 ttl=64 time=0.673 ms
    64 bytes from 10.7.0.1: icmp_seq=3 ttl=64 time=0.861 ms
    
    --- 10.7.0.1 ping statistics ---
    4 packets transmitted, 4 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.585/0.744/0.861/0.119 ms
    [2.3-BETA][root@jack.dw.example.com]/root: ping6 -c 4 -S 2001:db8:1:eec0:20d:b9ff:fe33:f72 2001:db8:1:deb0::1
    PING6(56=40+8+8 bytes) 2001:db8:1:eec0:20d:b9ff:fe33:f72 --> 2001:db8:1:deb0::1
    16 bytes from 2001:db8:1:deb0::1, icmp_seq=0 hlim=64 time=1.439 ms
    16 bytes from 2001:db8:1:deb0::1, icmp_seq=1 hlim=64 time=0.943 ms
    16 bytes from 2001:db8:1:deb0::1, icmp_seq=2 hlim=64 time=0.956 ms
    16 bytes from 2001:db8:1:deb0::1, icmp_seq=3 hlim=64 time=0.839 ms
    
    --- 2001:db8:1:deb0::1 ping6 statistics ---
    4 packets transmitted, 4 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 0.839/1.044/1.439/0.232 ms
    
    
    : tcpdump -vvvni enc0 
    tcpdump: WARNING: enc0: no IPv4 address assigned
    tcpdump: listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 65535 bytes
    15:58:55.496876 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 45404, offset 0, flags [none], proto ICMP (1), length 84)
        192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 0, length 64
    15:58:55.496993 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 63546, offset 0, flags [none], proto ICMP (1), length 84, bad cksum d39b (->8cbd)!)
        10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 0, length 64
    15:58:56.498392 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 38240, offset 0, flags [none], proto ICMP (1), length 84)
        192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 1, length 64
    15:58:56.498436 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 38618, offset 0, flags [none], proto ICMP (1), length 84, bad cksum ef97 (->ee1d)!)
        10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 1, length 64
    15:58:57.557724 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 28035, offset 0, flags [none], proto ICMP (1), length 84)
        192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 2, length 64
    15:58:57.557766 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 41042, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 1775 (->e4a5)!)
        10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 2, length 64
    15:58:58.563872 (authentic,confidential): SPI 0xc0dbd04f: IP (tos 0x0, ttl 64, id 43514, offset 0, flags [none], proto ICMP (1), length 84)
        192.168.43.1 > 10.7.0.1: ICMP echo request, id 16664, seq 3, length 64
    15:58:58.563914 (authentic,confidential): SPI 0xc205845b: IP (tos 0x0, ttl 64, id 32701, offset 0, flags [none], proto ICMP (1), length 84, bad cksum dafd (->53b)!)
        10.7.0.1 > 192.168.43.1: ICMP echo reply, id 16664, seq 3, length 64
    15:59:01.897952 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 0
    15:59:01.898052 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 0
    15:59:02.960706 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 1
    15:59:02.960760 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 1
    15:59:04.014537 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 2
    15:59:04.014589 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 2
    15:59:05.032436 (authentic,confidential): SPI 0xc0dbd04f: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:eec0:20d:b9ff:fe33:f72 > 2001:db8:1:deb0::1: [icmp6 sum ok] ICMP6, echo request, seq 3
    15:59:05.032501 (authentic,confidential): SPI 0xc205845b: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:db8:1:deb0::1 > 2001:db8:1:eec0:20d:b9ff:fe33:f72: [icmp6 sum ok] ICMP6, echo reply, seq 3
    
    

    And from "ipsec statusall" for good measure…

    Connections:
       bypasslan:  %any...%any  IKEv1/2
       bypasslan:   local:  uses public key authentication
       bypasslan:   remote: uses public key authentication
       bypasslan:   child:  192.168.43.0/24|/0 === 192.168.43.0/24|/0 PASS
            con1:  198.51.100.100...198.51.100.7  IKEv2, dpddelay=10s
            con1:   local:  [198.51.100.100] uses pre-shared key authentication
            con1:   remote: [198.51.100.7] uses pre-shared key authentication
            con1:   child:  192.168.43.0/24|/0 2001:db8:1:eec0::/60|/0 === 10.7.0.0/24|/0 2001:db8:1:deb0::/64|/0 TUNNEL, dpdaction=restart
    Shunted Connections:
       bypasslan:  192.168.43.0/24|/0 === 192.168.43.0/24|/0 PASS
    Routed Connections:
            con1{3}:  ROUTED, TUNNEL, reqid 1
            con1{3}:   192.168.43.0/24|/0 2001:db8:1:eec0::/60|/0 === 10.7.0.0/24|/0 2001:db8:1:deb0::/64|/0
    Security Associations (1 up, 0 connecting):
            con1[1]: ESTABLISHED 5 minutes ago, 198.51.100.100[198.51.100.100]...198.51.100.7[198.51.100.7]
            con1[1]: IKEv2 SPIs: 77b4381031502095_i* 53b145c57a3f7c63_r, pre-shared key reauthentication in 7 hours
            con1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
            con1{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c205845b_i c0dbd04f_o
            con1{2}:  AES_CBC_256/HMAC_SHA1_96, 1456 bytes_i, 3680 bytes_o, rekeying in 39 minutes
            con1{2}:   192.168.43.0/24|/0 === 2001:db8:1:deb0::/64|/0
    
    

    (granted that output looks a little funny, but it is there and working)

     setkey -DP
    192.168.43.0/24[any] 192.168.43.0/24[any] any
    	in none
    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:32 2016
    	lifetime: 9223372036854775807(s) validtime: 0(s)
    	spid=8 seq=5 pid=93603
    	refcnt=1
    10.7.0.0/24[any] 192.168.43.0/24[any] any
    	in ipsec
    	esp/tunnel/198.51.100.7-198.51.100.100/unique:1
    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:58 2016
    	lifetime: 9223372036854775807(s) validtime: 0(s)
    	spid=10 seq=4 pid=93603
    	refcnt=1
    2001:db8:1:deb0::/64[any] 2001:db8:1:eec0::/60[any] any
    	in ipsec
    	esp/tunnel/198.51.100.7-198.51.100.100/unique:1
    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:59:05 2016
    	lifetime: 9223372036854775807(s) validtime: 0(s)
    	spid=12 seq=3 pid=93603
    	refcnt=1
    192.168.43.0/24[any] 192.168.43.0/24[any] any
    	out none
    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:32 2016
    	lifetime: 9223372036854775807(s) validtime: 0(s)
    	spid=7 seq=2 pid=93603
    	refcnt=1
    192.168.43.0/24[any] 10.7.0.0/24[any] any
    	out ipsec
    	esp/tunnel/198.51.100.100-198.51.100.7/unique:1
    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:58:58 2016
    	lifetime: 9223372036854775807(s) validtime: 0(s)
    	spid=9 seq=1 pid=93603
    	refcnt=1
    2001:db8:1:eec0::/60[any] 2001:db8:1:deb0::/64[any] any
    	out ipsec
    	esp/tunnel/198.51.100.100-198.51.100.7/unique:1
    	created: Feb  1 15:58:32 2016  lastused: Feb  1 15:59:05 2016
    	lifetime: 9223372036854775807(s) validtime: 0(s)
    	spid=11 seq=0 pid=93603
    	refcnt=1
    
    


  • Hmmmm… OK
    Do you have any recommendations where to start looking?
    I added firewall rules on IPSEC interfaces on both sides and set them to allow any any IPv6 for test purposes.
    I do not block IPv6 anywhere.

    Wireshark shows this on local ipsec iface when I ping:

    
    22:07:05.969317 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 45
    22:07:10.676559 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 46
    22:07:15.675531 (authentic,confidential): SPI 0xce682ffa: (hlim 127, next-header ICMPv6 (58) payload length: 40) 2001:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX > 2a01:XXX:XXXX:XXXX::XXX: [icmp6 sum ok] ICMP6, echo request, seq 47
    
    

    And each ping from 2.3 network to 2.2.6 network produces above (kernel: ip6_output (ipsec): error code 47) error on 2.2.6 system.
    So traffic comes to 2.2.6 and there it stops or something ?

    Thanks!


  • Rebel Alliance Developer Netgate

    Not sure there. I had that same tunnel I showed above working between 2.2.5 and 2.3 before upgrading the older system to 2.3. I don't have an active one that goes between 2.2.6 and 2.3 to test at the moment. I tested both because for a while we prevented both from being configured. I made sure it worked before relaxing the input validation.

    https://redmine.pfsense.org/issues/5305
    https://doc.pfsense.org/index.php/2.2.5_New_Features_and_Changes#IPsec



  • As I suspected there is a problem with 2.2.6 and IKEv2 P2.

    It does not work, at least 32-bit is not working with ipv4 and ipv6 both inside one P1.

    I upgraded 2.2.6 to 2.3 and IPv6 tunnel inside IPv4 P1 is working just fine.


  • Rebel Alliance Developer Netgate

    It's possible it's specific to 32-bit but I'm not sure how. Either way, if it works on 2.3 there is nothing to fix currently. If we do another 2.2.x release it will only be a security release and wouldn't be used to address something like this.



  • Yeah, but I cant help myself, I like to know when Im wrong and this time my config checked out just fine :)


Log in to reply