Bug #11643
closed
IPsec tunnel does not function when configured on a 6RD interface
100%
Description
pfSense does not generate a correct swanctl.conf when adding IPv6 or dual stack tunnels over a 6RD interface. The IPv6 address is not added to local_addrs and IPv6 connections are not accepted (cannot find matching config).
Incorrect swanctl.conf:
con1000 {
.....
local_addrs = 1.2.3.4
Correct swanctl.conf
con1000 {
.....
local_addrs = 1.2.3.4,1234:5678:9abc::/48
Another minor issue is that the GUI complains when adding both IPv4 and IPv6 P2 under a IPv4 or IPv6 only P1 (There is a Phase 2 using IPv6, cannot use IPv4.).
This is however perfectly fine to configure and use. P2 IP version is not in any way related to P1. This error is therefore spurious and should be removed.
Updated by Viktor Gurov over 3 years ago
Sietse van Zanen wrote:
pfSense does not generate a correct swanctl.conf when adding IPv6 or dual stack tunnels over a 6RD interface. The IPv6 address is not added to local_addrs and IPv6 connections are not accepted (cannot find matching config).
Incorrect swanctl.conf:
con1000 {
.....
local_addrs = 1.2.3.4Correct swanctl.conf
con1000 {
.....
local_addrs = 1.2.3.4,1234:5678:9abc::/48
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/181
Updated by Viktor Gurov over 3 years ago
Sietse van Zanen wrote:
Another minor issue is that the GUI complains when adding both IPv4 and IPv6 P2 under a IPv4 or IPv6 only P1 (There is a Phase 2 using IPv6, cannot use IPv4.).
This is however perfectly fine to configure and use. P2 IP version is not in any way related to P1. This error is therefore spurious and should be removed.
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/182
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.1
The first PR for the main issue is OK, the other part about mixing IPv4/IPv6 on IKEv1 needs its own separate Redmine issue since it's not related.
Updated by Sietse van Zanen over 3 years ago
Viktor Gurov wrote:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/182
gitlab.netgate.com resolves to RFC1918 (172.16.0.0/12) address publicly:
gitlab.netgate.com.
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: gitlab.netgate.com
Address: 172.27.10.132
Updated by Jim Pingle over 3 years ago
That is our private/internal git, so it's expected.
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Waiting on Merge
- Assignee set to Viktor Gurov
PR 181 was merged. Thanks!
Please open a separate redmine ticket to cover proposed changes on PR 182
Updated by Viktor Gurov over 3 years ago
- Status changed from Waiting on Merge to Feedback
- % Done changed from 0 to 100
Applied in changeset f6f121a28b4be1457535a5120e978544e55330c3.
Updated by Jim Pingle over 3 years ago
- Subject changed from IPSEC over 6RD interface not functional to IPsec tunnel does not function when configured on a 6RD interface
Updating subject for release notes.