Project

General

Profile

Actions

Bug #11643

closed

IPsec tunnel does not function when configured on a 6RD interface

Added by Sietse van Zanen 7 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
03/10/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
All

Description

pfSense does not generate a correct swanctl.conf when adding IPv6 or dual stack tunnels over a 6RD interface. The IPv6 address is not added to local_addrs and IPv6 connections are not accepted (cannot find matching config).
Incorrect swanctl.conf:
con1000 {
.....
local_addrs = 1.2.3.4

Correct swanctl.conf
con1000 {
.....
local_addrs = 1.2.3.4,1234:5678:9abc::/48

Another minor issue is that the GUI complains when adding both IPv4 and IPv6 P2 under a IPv4 or IPv6 only P1 (There is a Phase 2 using IPv6, cannot use IPv4.).
This is however perfectly fine to configure and use. P2 IP version is not in any way related to P1. This error is therefore spurious and should be removed.

Actions #1

Updated by Viktor Gurov 7 months ago

Sietse van Zanen wrote:

pfSense does not generate a correct swanctl.conf when adding IPv6 or dual stack tunnels over a 6RD interface. The IPv6 address is not added to local_addrs and IPv6 connections are not accepted (cannot find matching config).
Incorrect swanctl.conf:
con1000 {
.....
local_addrs = 1.2.3.4

Correct swanctl.conf
con1000 {
.....
local_addrs = 1.2.3.4,1234:5678:9abc::/48

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/181

Actions #2

Updated by Viktor Gurov 7 months ago

Sietse van Zanen wrote:

Another minor issue is that the GUI complains when adding both IPv4 and IPv6 P2 under a IPv4 or IPv6 only P1 (There is a Phase 2 using IPv6, cannot use IPv4.).
This is however perfectly fine to configure and use. P2 IP version is not in any way related to P1. This error is therefore spurious and should be removed.

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/182

Actions #3

Updated by Jim Pingle 7 months ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.1

The first PR for the main issue is OK, the other part about mixing IPv4/IPv6 on IKEv1 needs its own separate Redmine issue since it's not related.

Actions #4

Updated by Sietse van Zanen 7 months ago

Viktor Gurov wrote:

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/182

gitlab.netgate.com resolves to RFC1918 (172.16.0.0/12) address publicly:

gitlab.netgate.com.

Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
Name: gitlab.netgate.com
Address: 172.27.10.132

Actions #5

Updated by Jim Pingle 7 months ago

That is our private/internal git, so it's expected.

Actions #6

Updated by Renato Botelho 7 months ago

  • Status changed from Pull Request Review to Waiting on Merge
  • Assignee set to Viktor Gurov

PR 181 was merged. Thanks!

Please open a separate redmine ticket to cover proposed changes on PR 182

Actions #7

Updated by Viktor Gurov 7 months ago

  • Status changed from Waiting on Merge to Feedback
  • % Done changed from 0 to 100
Actions #8

Updated by Renato Botelho 7 months ago

Cherry-picked to RELENG_2_5_1

Actions #9

Updated by Jim Pingle 6 months ago

  • Subject changed from IPSEC over 6RD interface not functional to IPsec tunnel does not function when configured on a 6RD interface

Updating subject for release notes.

Actions #10

Updated by Jim Pingle 5 months ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF