Dual stack Routed IPsec (VTI) has some issues.

[Napsterbater]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I have searched the existing issues and I am convinced that mine is new.

Describe the bug

Dual stack Routed IPsec (VTI) has some issues, adding/enabling 2nd Phase 2 with IPv6 breaks IPv4 Phase 2, disabling IPv6 phase 2 allows both IPv4 and IPv6 to work.

To Reproduce

Steps to reproduce the behavior:

Create a Phase 1
Then create 2 phase 2s, one IPv4 and one IPv6

When both are enabled/connected upon startup only an IPv6 address and route is created for the IPsec tunnel.
Disabling the IPv6 phase two then allows a IPv4 address and route to be created in addition to leaving the IPv6 address and route, thus allowing both to work.

Expected behavior

Both an IPv6 and IPv4 address and route should be created and work without cycling the IPv6 Phase 2

Relevant log files

Interface and route outputs.

With IPv6 Phase 2 enabled/connected
`

Status	up
MAC address	00:00:00:00:00:00 - XEROX CORPORATION
MTU	1400
IPv6 link-local	fe80::21b:21ff:fe65:34b0/64
IPv6 address	fda9:26a9:1c47:ffff::1/126
In/out packets	5070 / 164 (172 KB / 9 KB)
In/out packets (pass)	5070 / 164 (172 KB / 9 KB)
In/out packets (block)	0 / 0 (0 bytes / 0 bytes)
In/out errors	0 / 0
Collisions	0
`
`
ipv6	fda9:26a9:1c47:ffff::/126
ipv6	fda9:26a9:1c47:ffff::1
`

With IPv6 Phase 2 disabled and only the IPv4 phase 2. Note the Ipv6 address still shows for some reason as well as the Ipv6 route,, but the IPv4 address and route shows up as well.
`

Status	up
MAC address	00:00:00:00:00:00 - XEROX CORPORATION
MTU	1400
IPv4 address	10.255.0.1/30
IPv6 link-local	fe80::21b:21ff:fe65:34b0/64
IPv6 address	fda9:26a9:1c47:ffff::1/126
In/out packets	5095 / 288 (173 KB / 14 KB)
In/out packets (pass)	5095 / 288 (173 KB / 14 KB)
In/out packets (block)	0 / 0 (0 bytes / 0 bytes)
In/out errors	0 / 31
Collisions	0
`
`
ipv4	10.255.0.1
--	--
ipv4	10.255.0.2
`

Additional context

Restarting the system with the IPv6 phase 2 disabled only allows Ipv4 to work until the IPv6 phase 2 is cycled on then off again, then both Ipv4 and IPv6 work.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 21.1.3_3-amd64
Win Server 2019 Hyper-V Temporarily during cutover/migration
AMD Ryzen 9 3950X, 8 cores assigned, 4GB of RAM.

[Napsterbater]

I have migrated to a Physical OPNsense system now, and after importing the configuration the behavior is the same.
Upon a restart I have cycle the IPv6 Phase 2 on then off to have both IPv6 and IPv4 on the tunnel.

[Napsterbater]

This still occurs on 21.1.4

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.

[Napsterbater]

This still occurs on 21.7.6

[Napsterbater]

This is still occurring in 22.1.8_1

[mimugmail]

Did you search around if this is FreeBSD related? Are there any logs? Why not using 2 tunnels for each protocol?

[Napsterbater]

Did you search around if this is FreeBSD related?

Nothing I have found.

Are there any logs?

Nothing that stands out or seemingly useful that I have found. But open to suggestions on where else to look, or knobs to turn to get better information.

Why not using 2 tunnels for each protocol?

... Because interoperating with other devices/implementations expect both on a single Phase 1, like normal.

[mimugmail]

Can you just post the logs when adding the second P2 and the connection setup? Also the part in IPsec.conf? And did you test against different devices (other site) or OPNsense against OPNsense?

[Napsterbater]

Can you just post the logs when adding the second P2 and the connection setup? Also the part in IPsec.conf?

ipsec.log
ipsec.txt
Text file is the ipsec.conf had to rename to upload.

Here are the 2 Files, I have IPsec debug set to highest for all options.

The Log starts when I enabled the phase 1 with both phase 2's already active. On line 46 (11:34:40) I disabled then applied the IPv6 phase 2, At that point both Phase 2's continue working and IPv4 AND IPv6 traffic is passed.

And did you test against different devices (other site) or OPNsense against OPNsense?
When I started this but report I was using IPsec between 2 OPNsense devices and had to do the disable the IPv6 phase 2 trick on both sides. I ended up abandoning IPsec on OPNsense for this reason, but now IPsec is the only option to VPN into many cloud networks such as in this case Oracle Could, but this isn't limited to them, this feels like a local OPNsense issue since the IPv4 address does not populate on the interface when it is initialized with both IPv4 and IPv6.

[trunet]

To everybody here, I opened #6022 and I figure it out it was related to Tunnel isolation option in phase 1 being disabled. When you enable, it'll create both interfaces.