Bug #6518: IPsec phase 1 VPN not working with IPv6+DNS with "My IP Address" as identifier - pfSense - pfSense bugtracker

Actions

Copy link

Bug #6518

closed

IPsec phase 1 VPN not working with IPv6+DNS with "My IP Address" as identifier

Added by Sébastien Boulet almost 8 years ago. Updated about 4 years ago.

Status:

Closed

Priority:

Low

Assignee:

Category:

IPsec

Target version:

Start date:

06/22/2016

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.3.1

Affected Architecture:

Description

Hi,

I'm running pfSense :

2.3.1-RELEASE-p5 (amd64)
built on Thu Jun 16 12:53:15 CDT 2016
FreeBSD 10.3-RELEASE-p3

I have 2 pfSense fw, with IPv6 internet access :
- fw1 : 2001:aaaa::a
- fw2 : 2001:bbbb::b

I've configure an IPsec VPN using IPv6 for phase 1, everything is working fine (fw1 conf is symetric) :

    <phase1>
        <ikeid>1</ikeid>
        <iketype>ikev2</iketype>
        <interface>wan</interface>
    =>  <remote-gateway>2001:aaaa::a</remote-gateway>
        <protocol>inet6</protocol>
    =>  <myid_type>myaddress</myid_type>
        <myid_data/>
    =>  <peerid_type>peeraddress</peerid_type>
        <encryption-algorithm>
            <name>aes</name>
            <keylen>256</keylen>
        </encryption-algorithm>
        <hash-algorithm>sha512</hash-algorithm>
        <dhgroup>21</dhgroup>
        <lifetime>28800</lifetime>
        <private-key/>
        <certref/>
        <caref/>
        <authentication_method>pre_shared_key</authentication_method>
        <descr/>
        <nat_traversal>on</nat_traversal>
        <mobike>off</mobike>
         <dpd_delay>10</dpd_delay>
        <dpd_maxfail>5</dpd_maxfail>
    </phase1>

Next I try to use DNS for remote gateway :

DNS setting are :

fw1.mycompagny.com    AAAA    2001:aaaa::a
fw2.mycompagny.com    AAAA    2001:bbbb::b

    <phase1>
        <ikeid>1</ikeid>
        <iketype>ikev2</iketype>
        <interface>wan</interface>
    =>  <remote-gateway>fw1.mycompagny.com</remote-gateway>
        <protocol>inet6</protocol>
    ->  <myid_type>myaddress</myid_type>
        <myid_data/>
    ->  <peerid_type>peeraddress</peerid_type>
        <encryption-algorithm>
            <name>aes</name>
            <keylen>256</keylen>
        </encryption-algorithm>
        <hash-algorithm>sha512</hash-algorithm>
        <dhgroup>21</dhgroup>
        <lifetime>28800</lifetime>
        <private-key/>
        <certref/>
        <caref/>
        <authentication_method>pre_shared_key</authentication_method>
        <descr/>
        <nat_traversal>on</nat_traversal>
        <mobike>off</mobike>
        <dpd_delay>10</dpd_delay>
        <dpd_maxfail>5</dpd_maxfail>
    </phase1>

See attached screenshot : "Remote identifier" is IPv4 (fw1.mycompagny.com)

Changing phase 1 identifiers solved the issue.

Regards,

Files

2016-06-22_09h35_28.png (18.4 KB) 2016-06-22_09h35_28.png

IPsec status with DNS as remote GW

Sébastien Boulet, 06/22/2016 02:44 AM

Actions

Copy link

Updated by Viktor Gurov about 4 years ago

Status changed from New to Closed

no such issue on 2.4.4-p3 and 2.5.0.a.20200211.1811

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #6518

IPsec phase 1 VPN not working with IPv6+DNS with "My IP Address" as identifier

Updated by Viktor Gurov about 4 years ago