Actions
Bug #6518
closedIPsec phase 1 VPN not working with IPv6+DNS with "My IP Address" as identifier
Status:
Closed
Priority:
Low
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
06/22/2016
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.1
Affected Architecture:
Description
Hi,
I'm running pfSense :
2.3.1-RELEASE-p5 (amd64) built on Thu Jun 16 12:53:15 CDT 2016 FreeBSD 10.3-RELEASE-p3
I have 2 pfSense fw, with IPv6 internet access :
- fw1 : 2001:aaaa::a
- fw2 : 2001:bbbb::b
I've configure an IPsec VPN using IPv6 for phase 1, everything is working fine (fw1 conf is symetric) :
<phase1> <ikeid>1</ikeid> <iketype>ikev2</iketype> <interface>wan</interface> => <remote-gateway>2001:aaaa::a</remote-gateway> <protocol>inet6</protocol> => <myid_type>myaddress</myid_type> <myid_data/> => <peerid_type>peeraddress</peerid_type> <encryption-algorithm> <name>aes</name> <keylen>256</keylen> </encryption-algorithm> <hash-algorithm>sha512</hash-algorithm> <dhgroup>21</dhgroup> <lifetime>28800</lifetime> <private-key/> <certref/> <caref/> <authentication_method>pre_shared_key</authentication_method> <descr/> <nat_traversal>on</nat_traversal> <mobike>off</mobike> <dpd_delay>10</dpd_delay> <dpd_maxfail>5</dpd_maxfail> </phase1>
Next I try to use DNS for remote gateway :
DNS setting are :
fw1.mycompagny.com AAAA 2001:aaaa::a fw2.mycompagny.com AAAA 2001:bbbb::b
<phase1> <ikeid>1</ikeid> <iketype>ikev2</iketype> <interface>wan</interface> => <remote-gateway>fw1.mycompagny.com</remote-gateway> <protocol>inet6</protocol> -> <myid_type>myaddress</myid_type> <myid_data/> -> <peerid_type>peeraddress</peerid_type> <encryption-algorithm> <name>aes</name> <keylen>256</keylen> </encryption-algorithm> <hash-algorithm>sha512</hash-algorithm> <dhgroup>21</dhgroup> <lifetime>28800</lifetime> <private-key/> <certref/> <caref/> <authentication_method>pre_shared_key</authentication_method> <descr/> <nat_traversal>on</nat_traversal> <mobike>off</mobike> <dpd_delay>10</dpd_delay> <dpd_maxfail>5</dpd_maxfail> </phase1>
See attached screenshot : "Remote identifier" is IPv4 (fw1.mycompagny.com)
Changing phase 1 identifiers solved the issue.
Regards,
Files
Updated by Viktor Gurov about 4 years ago
- Status changed from New to Closed
no such issue on 2.4.4-p3 and 2.5.0.a.20200211.1811
Actions