Bug #2746: IPv6 IPSEC shows down but is actually not... - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #2746

closed

IPv6 IPSEC shows down but is actually not...

Added by Andre Keller over 11 years ago. Updated about 11 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

IPsec

Target version:

2.1

Start date:

01/07/2013

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.1-IPv6

Affected Architecture:

Description

I just setup some IPv6 site-to-site ipsec vpns.

Good news: They work

Not so good news: In the IPSEC status overview the tunnel shows down, but the SAD tab shows data going through the ipsec flows and tcpdump on enc0 verifies the traffic actually is going to the target via ipsec.

Probably just some sort of parsing issue...

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Chris Buechler over 11 years ago

Target version set to 2.1
Affected Version changed from 2.1 to 2.1-IPv6

Actions

Copy link

Updated by Jim Pingle about 11 years ago

When your tunnels are up, can you attach the output of:

setkey -D

and

setkey -DP

That should help us with making changes to the parsing code, to ensure the output you see is the same as the output we see.

Actions

Copy link

Updated by Jim Pingle about 11 years ago

Status changed from New to Feedback

I just created a pure IPv6 tunnel between two VMs running today's snapshot and it comes up and works and the status shows the tunnel as connected. SAD and SPD tabs are populated as expected.

I'm guessing you have a configuration error that is resulting in the traffic routing outside the tunnel and not through it, such as having "IPv4" selected on Phase 1 and/or "Tunnel IPv4" selected on Phase 2. Either of those cases would result in the tabs not showing the proper output.

Actions

Copy link

Updated by Andre Keller about 11 years ago

Thanks for getting back to me...

You are right, it was a configuration issue but a mean one :-)

If you select the local network in phase 2 using the dropdown it adds the network to the configuration as follows:
OPT1: 2001:db8:10::/64 -> racoon.conf 2001:db8:10:0:0:0:0:0/64

So when I have the compact version manually type on the other side it shows as down and actually traffic gets not routed through the tunnel...

Seems a bug to me, but not this one :-)

Actions

Copy link

Updated by Ermal Luçi about 11 years ago

I pushed some fixes for exactly the issue you mentioned Andre.

Actions

Copy link

Updated by Jim Pingle about 11 years ago

I also committed a couple fixes yesterday that made it work for more situations. It was working if you entered the subnets manually but it was broken if you used a macro like "lan subnet". They should all work now.

Actions

Copy link

Updated by Chris Buechler about 11 years ago

Status changed from Feedback to Resolved

look to all work

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #2746

IPv6 IPSEC shows down but is actually not...

Updated by Chris Buechler over 11 years ago

Updated by Jim Pingle about 11 years ago

Updated by Jim Pingle about 11 years ago

Updated by Andre Keller about 11 years ago

Updated by Ermal Luçi about 11 years ago

Updated by Jim Pingle about 11 years ago

Updated by Chris Buechler about 11 years ago