Project

General

Profile

Bug #11643

IPsec tunnel does not function when configured on a 6RD interface

Added by Sietse van Zanen 2 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
03/10/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
All

Description

pfSense does not generate a correct swanctl.conf when adding IPv6 or dual stack tunnels over a 6RD interface. The IPv6 address is not added to local_addrs and IPv6 connections are not accepted (cannot find matching config).
Incorrect swanctl.conf:
con1000 {
.....
local_addrs = 1.2.3.4

Correct swanctl.conf
con1000 {
.....
local_addrs = 1.2.3.4,1234:5678:9abc::/48

Another minor issue is that the GUI complains when adding both IPv4 and IPv6 P2 under a IPv4 or IPv6 only P1 (There is a Phase 2 using IPv6, cannot use IPv4.).
This is however perfectly fine to configure and use. P2 IP version is not in any way related to P1. This error is therefore spurious and should be removed.

Associated revisions

Revision f6f121a2 (diff)
Added by Viktor Gurov 2 months ago

Correct source IP for IPsec on 6RD/6to4 interfaces. Fixes #11643

Revision 81949bee (diff)
Added by Viktor Gurov 2 months ago

IPsec IKEv1 mixed Phase 2 IP protocols support. Issue #11643

Revision d834e893 (diff)
Added by Viktor Gurov 2 months ago

IPsec IKEv1 mixed Phase 2 IP protocols support. Issue #11643

(cherry picked from commit 81949bee72813bbd8b57b75563cd40b9cdaf68e0)

Revision 55965086 (diff)
Added by Viktor Gurov 2 months ago

Correct source IP for IPsec on 6RD/6to4 interfaces. Fixes #11643

(cherry picked from commit f6f121a28b4be1457535a5120e978544e55330c3)

History

#1 Updated by Viktor Gurov 2 months ago

Sietse van Zanen wrote:

pfSense does not generate a correct swanctl.conf when adding IPv6 or dual stack tunnels over a 6RD interface. The IPv6 address is not added to local_addrs and IPv6 connections are not accepted (cannot find matching config).
Incorrect swanctl.conf:
con1000 {
.....
local_addrs = 1.2.3.4

Correct swanctl.conf
con1000 {
.....
local_addrs = 1.2.3.4,1234:5678:9abc::/48

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/181

#2 Updated by Viktor Gurov 2 months ago

Sietse van Zanen wrote:

Another minor issue is that the GUI complains when adding both IPv4 and IPv6 P2 under a IPv4 or IPv6 only P1 (There is a Phase 2 using IPv6, cannot use IPv4.).
This is however perfectly fine to configure and use. P2 IP version is not in any way related to P1. This error is therefore spurious and should be removed.

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/182

#3 Updated by Jim Pingle 2 months ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.1

The first PR for the main issue is OK, the other part about mixing IPv4/IPv6 on IKEv1 needs its own separate Redmine issue since it's not related.

#4 Updated by Sietse van Zanen 2 months ago

Viktor Gurov wrote:

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/182

gitlab.netgate.com resolves to RFC1918 (172.16.0.0/12) address publicly:

gitlab.netgate.com.

Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
Name: gitlab.netgate.com
Address: 172.27.10.132

#5 Updated by Jim Pingle 2 months ago

That is our private/internal git, so it's expected.

#6 Updated by Renato Botelho 2 months ago

  • Status changed from Pull Request Review to Waiting on Merge
  • Assignee set to Viktor Gurov

PR 181 was merged. Thanks!

Please open a separate redmine ticket to cover proposed changes on PR 182

#7 Updated by Viktor Gurov 2 months ago

  • Status changed from Waiting on Merge to Feedback
  • % Done changed from 0 to 100

#8 Updated by Renato Botelho 2 months ago

Cherry-picked to RELENG_2_5_1

#9 Updated by Jim Pingle 2 months ago

  • Subject changed from IPSEC over 6RD interface not functional to IPsec tunnel does not function when configured on a 6RD interface

Updating subject for release notes.

#10 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF