Bug #2746


IPv6 IPSEC shows down but is actually not...

Added by Andre Keller over 11 years ago. Updated over 11 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:



I just setup some IPv6 site-to-site ipsec vpns.

Good news: They work

Not so good news: In the IPSEC status overview the tunnel shows down, but the SAD tab shows data going through the ipsec flows and tcpdump on enc0 verifies the traffic actually is going to the target via ipsec.

Probably just some sort of parsing issue...

Actions #1

Updated by Chris Buechler over 11 years ago

  • Target version set to 2.1
  • Affected Version changed from 2.1 to 2.1-IPv6
Actions #2

Updated by Jim Pingle over 11 years ago

When your tunnels are up, can you attach the output of:

setkey -D


setkey -DP

That should help us with making changes to the parsing code, to ensure the output you see is the same as the output we see.

Actions #3

Updated by Jim Pingle over 11 years ago

  • Status changed from New to Feedback

I just created a pure IPv6 tunnel between two VMs running today's snapshot and it comes up and works and the status shows the tunnel as connected. SAD and SPD tabs are populated as expected.

I'm guessing you have a configuration error that is resulting in the traffic routing outside the tunnel and not through it, such as having "IPv4" selected on Phase 1 and/or "Tunnel IPv4" selected on Phase 2. Either of those cases would result in the tabs not showing the proper output.

Actions #4

Updated by Andre Keller over 11 years ago

Thanks for getting back to me...

You are right, it was a configuration issue but a mean one :-)

If you select the local network in phase 2 using the dropdown it adds the network to the configuration as follows:
OPT1: 2001:db8:10::/64 -> racoon.conf 2001:db8:10:0:0:0:0:0/64

So when I have the compact version manually type on the other side it shows as down and actually traffic gets not routed through the tunnel...

Seems a bug to me, but not this one :-)

Actions #5

Updated by Ermal Luçi over 11 years ago

I pushed some fixes for exactly the issue you mentioned Andre.

Actions #6

Updated by Jim Pingle over 11 years ago

I also committed a couple fixes yesterday that made it work for more situations. It was working if you entered the subnets manually but it was broken if you used a macro like "lan subnet". They should all work now.

Actions #7

Updated by Chris Buechler over 11 years ago

  • Status changed from Feedback to Resolved

look to all work


Also available in: Atom PDF