OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: Timmey22 on May 17, 2021, 11:44:29 am
-
TL;DR:
A route based IPSec Tunnel (IKEv2 IPv6) is not working when using FQDNs or "::" as the remote gateway and / or the Dynamic gateway option. Is this behaviour expected?
Hi,
i am currently trying to setup a IPSec IKEv2 IPv6 site to site tunnel with route-based phase 2 (IPv4) between two opnsenses.
I already established an OpenVPN peer to peer tunnel via UDP6, which is working fine but i want to rely on IPSec primarily and only falling back to OpenVPN in case that the IPSec tunnel is not established via BGP.
As you can see in the attached image, both firewalls have an IPv6 address and a private or carrier grade NAT IPv4 address configured on their WAN interface.
I have configured IPSec on both sides and experience the follwing problems when using Dyndns FQDN on both ends:
Scenario 1:
Left side:
Connection method: start immediate
Remote gateway: FQDN of other peer
Dynamic gateway: unchecked
Right side:
Connection method: respond only
Remote gateway: FQDN of other peer
Dynamic gateway: unchecked
Result: Tunnel is up and remote tunnel ip is reachable via icmp.
Scenario 2:
Left side:
Connection method: start immediate
Remote gateway: FQDN of other peer
Dynamic gateway: unchecked
Right side:
Connection method: respond only
Remote gateway: FQDN of other peer
Dynamic gateway: checked
Result: On both peers phase 2 is up, i can see the entries in the security policy database. The tunnel ip of the right peer is not reachable via icmp and i can see that bytes are transmitted from the left side to the right side on both peers but the right side is not sending any bytes.
In the log of the right side peer i see this message: <con3|2> querying policy 0.0.0.0/0 === 0.0.0.0/0 out failed, not found
Comparing the /usr/local/etc/ipsec.conf of scenario 1 and 2, only the line "rightallowany = yes" was added on the right side peer.
Scenario 3:
Left side:
Connection method: start immediate
Remote gateway: FQDN of other peer
Dynamic gateway: unchecked
Right side:
Connection method: respond only
Remote gateway: ::
Dynamic gateway: checked
Result: On both peers phase 2 is up, i can only see the entries in the security policy database on the left side peer, not on the right side. The tunnel ip of the right peer is not reachable via icmp and i can see that bytes are transmitted from the left side to the right side on both peers but the right side is not sending any bytes.
Comparing the /usr/local/etc/ipsec.conf of scenario 2 and 3, only the line "right = " was altered on the right side peer from the FQDN to "::".
Scenario 4:
Left side:
Connection method: start immediate
Remote gateway: FQDN of other peer
Dynamic gateway: unchecked
Right side:
Connection method: respond only
Remote gateway: ::
Dynamic gateway: unchecked
Result: On both peers phase 2 is up, i can only see the entries in the security policy database on the left side peer, not on the right side. The tunnel ip of the right peer is not reachable via icmp and i can see that bytes are transmitted from the left side to the right side on both peers but the right side is not sending any bytes.
Comparing the /usr/local/etc/ipsec.conf of scenario 3 and 4, only the line "rightallowany = yes" was removed on the right side peer from the FQDN to "::".
On the right side peer i can see in the log: querying policy 0.0.0.0/0 === 0.0.0.0/0 in failed, not found
Since the left side will receive a new IPv6 address every day, i would like to allow any address to connect to the right side peer, but this is not working for me at the moment. Has anyone experienced this as well or is this behaviour expected?