VTI IPv6 addresses don't get assigned
When a IPsec VPN has a v6 VTI phase 2assigned, the address is never assigned to the ipsecXXXX interface due to this error:
/vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec2000' inet '2001:db8::2/126' '2001:db8::1'' returned exit code '1', the output was 'ifconfig: 2001:db8::2/126: bad value (width too large)'
If I manually assign the address with
'/sbin/ifconfig 'ipsec2000' inet6 '2001:db8::2/126 then the tunnel will happily pass IPv6 traffic between the addresses.
It seems that the v6 addresses are incorrectly identified as v4 and I also don't think that it is the correct syntax for v6 address as if I just change the
inet6 I get this error:
ifconfig: ioctl (SIOCAIFADDR): Invalid argument
#1 Updated by Ben Hughes 4 months ago
It seems that the
is_ipaddrv6 function checks for a "/" in the address and if so decides it can't possibly be a v6 address, the PEAR Net_IPv6 module does correctly detect it as an IPv6 address but there this check is in there for compat reasons (not sure why). This is why it incorrectly tries to apply a v6 address as a v4 one. Also the command to apply it doesn't seem to be correct either.
So a quick and very dirty hack that seems to solve the problem (introducing what else I don't know) is:
In src/etc/inc/util.inc:665 comment out the check for
(strstr($ipaddr, "/")) and in src/etc/interfaces.inc:1441 alter the inet6 ifconfig call to remove the right side address and alias command.
That seems to reliably bring the VTI interface back up with both it's IPv4 and IPv6 addresses and allow traffic to pass, obviously it could do with a more production-ready fix but hopefully it makes that a little bit easier to implement.
#10 Updated by Jim Pingle about 1 month ago
- Status changed from Feedback to Resolved
VTI IPv6 is assigned as expected and works on 2.4.5.a.20191220.0501
: ifconfig ipsec4000 ipsec4000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1299 tunnel inet 198.51.100.3 --> 198.51.100.20 inet6 fe80::20c:29ff:fe45:256%ipsec4000 prefixlen 64 scopeid 0x9 inet6 2001:db8:3:1111::1 prefixlen 64 inet 10.3.111.1 --> 10.3.111.2 netmask 0xfffffffc nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> reqid: 4000 groups: ipsec
: ping6 -S 2001:db8:3:1111::1 2001:db8:3:1111::2 PING6(56=40+8+8 bytes) 2001:db8:3:1111::1 --> 2001:db8:3:1111::2 16 bytes from 2001:db8:3:1111::2, icmp_seq=0 hlim=64 time=1.098 ms 16 bytes from 2001:db8:3:1111::2, icmp_seq=1 hlim=64 time=1.373 ms
(To another 2.4.5 system configured with the opposing addresses, so confirmed 2x)