-
Notifications
You must be signed in to change notification settings - Fork 701
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPSec ESP not decrypted via IPv6 transport #6964
Comments
Support? |
can always be relabeled at a later moment in time if it appears to be a bug on our end. Most logical reason at the moment is a configuration issue, like a missing firewall rule. |
I see |
I will test this with my Android StrongSwan Client over IPv6. I have PPPoE with true dual stack, fixed IP and Prefix, and I know the roadwarrior configuration with IPsec Connections in depth. Whats the testing baseline, did you create the RoadWarrior tunnel with the docs here? https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html EDIT: https://wiki.strongswan.org/versions/79 EDIT2: I have tested it quickly with an IPv6 AAAA only hostname, enabled "Use IPv6 transport addresses" in the StrongSwan Android client. The Tunnel is up and I can see the UDP-encap ESP packets on UDP 4500 on the WAN interface. But they're not decapsulated and don't hit the if_enc(4) interface. I'll look into if it's a firewall issue, but my firewall rules allow IPv6 UDP 500 and 4500, and ESP. Otherwise the tunnel wouldn't even be established. EDIT3: EDIT4: |
https://forum.opnsense.org/index.php?topic=22254.0
Result:
|
https://forums.freebsd.org/threads/error-when-starting-up-strongswan.90468/ |
Thank you very much for the confirmation of this. You have my respect salute |
Close for now? I'll screen the FreeBSD source code for changes in that area. |
|
That's very interesting thanks for sharing. Just today someone in the forum stumbled across this not working too by chance. With many ISPs only implementing CG-NAT and IPv6, it becomes more and more of a requirement: https://forum.opnsense.org/index.php?topic=36742.0 So the alternative seems to be wireguard right now. |
Wireguard could be an alternative on greenfield, but out in the wild there is a lot of IPSec and that won't change anytime soon... |
It seems like there are now patches for NAT-T / ESP-in-UDP for IPv6 in Freebsd : |
This issue has been automatically timed-out (after 180 days of inactivity). For more information about the policies for this repository, If someone wants to step up and work on this issue, |
Added both patches to stable/24.7 as opnsense/src@18b8a9d5d3dd but it's not going to be part of our beta images for lack of prior coverage and FreeBSD release engineering (not on 14.1 or stable/14). |
@fichtner I just tested it on the testkernel and it works:
VPN client connects, udp encap with ipv6 is working, traffic goes through and gets encapsulated and decapsulated. Looks good imo. |
Ok let's keep the commit for the RC and see what happens 👍 |
Adjust note about udp transport with ipv6 opnsense/core#6964 (comment)
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
A dual stack IPSec road-warrior setup will work via IPv4 transport but not IPv6.
I verified that ESP packets arrive at the ingress interface (WAN in my case) but do not drop out of the IPSec interface.
Everything works fine for IPv4 transport...
To Reproduce
Expected behavior
Traffic flows via both protocol stacks
Additional context
Verified on Android (StrongSwan client) and Windows 11 (native client)
Verified for ESP and ESP in UDP
I am happy to share logs/pcap's, if it helps the cause
Environment
OPNSense 23.7.7_3 on KVM
Virtio NIC's
PPPoE dial-up - Deutsche Telekom (Germany) - true dual-stack - fixed IP/Prefix
The text was updated successfully, but these errors were encountered: