Bug #11643
closed
IPsec tunnel does not function when configured on a 6RD interface
Added by Sietse van Zanen over 3 years ago.
Updated over 3 years ago.
Affected Architecture:
All
Description
pfSense does not generate a correct swanctl.conf when adding IPv6 or dual stack tunnels over a 6RD interface. The IPv6 address is not added to local_addrs and IPv6 connections are not accepted (cannot find matching config).
Incorrect swanctl.conf:
con1000 {
.....
local_addrs = 1.2.3.4
Correct swanctl.conf
con1000 {
.....
local_addrs = 1.2.3.4,1234:5678:9abc::/48
Another minor issue is that the GUI complains when adding both IPv4 and IPv6 P2 under a IPv4 or IPv6 only P1 (There is a Phase 2 using IPv6, cannot use IPv4.).
This is however perfectly fine to configure and use. P2 IP version is not in any way related to P1. This error is therefore spurious and should be removed.
Sietse van Zanen wrote:
pfSense does not generate a correct swanctl.conf when adding IPv6 or dual stack tunnels over a 6RD interface. The IPv6 address is not added to local_addrs and IPv6 connections are not accepted (cannot find matching config).
Incorrect swanctl.conf:
con1000 {
.....
local_addrs = 1.2.3.4
Correct swanctl.conf
con1000 {
.....
local_addrs = 1.2.3.4,1234:5678:9abc::/48
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/181
Sietse van Zanen wrote:
Another minor issue is that the GUI complains when adding both IPv4 and IPv6 P2 under a IPv4 or IPv6 only P1 (There is a Phase 2 using IPv6, cannot use IPv4.).
This is however perfectly fine to configure and use. P2 IP version is not in any way related to P1. This error is therefore spurious and should be removed.
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/182
- Status changed from New to Pull Request Review
- Target version set to 2.5.1
The first PR for the main issue is OK, the other part about mixing IPv4/IPv6 on IKEv1 needs its own separate Redmine issue since it's not related.
That is our private/internal git, so it's expected.
- Status changed from Pull Request Review to Waiting on Merge
- Assignee set to Viktor Gurov
PR 181 was merged. Thanks!
Please open a separate redmine ticket to cover proposed changes on PR 182
- Status changed from Waiting on Merge to Feedback
- % Done changed from 0 to 100
Cherry-picked to RELENG_2_5_1
- Subject changed from IPSEC over 6RD interface not functional to IPsec tunnel does not function when configured on a 6RD interface
Updating subject for release notes.
- Status changed from Feedback to Closed
Also available in: Atom
PDF
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by