Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: danderson on August 09, 2023, 07:46:01 PM

Title: IPSEC Connections IPV6
Post by: danderson on August 09, 2023, 07:46:01 PM
So I have this working fine for V4 and dynamic DNS names, but its giving me an error the identifier contains invalid characters in PSKs for V6 addresses.
Title: Re: IPSEC Connections IPV6
Post by: Patrick M. Hausen on August 09, 2023, 07:49:57 PM
The identifier does not need to be the actual IP address used. You can use an FQDN or in fact "anything" as long as both ends agree what their respective identifiers are.
Title: Re: IPSEC Connections IPV6
Post by: danderson on August 09, 2023, 07:57:52 PM
ok, then on my 1 remote side (ASA) i have to figure out how to change the ident it sends or on the opnsense side if I can change what it sends/change what it expects.
Title: Re: IPSEC Connections IPV6
Post by: Patrick M. Hausen on August 09, 2023, 08:11:32 PM
Sorry not to be more specific but I have yet to set up my first IPv6 IPsec tunnel myself. I just happen to know that you can use e.g. hostmaster@company1.com and hostmaster@company2.com as identifiers if both sides agree.
Title: Re: IPSEC Connections IPV6
Post by: danderson on August 09, 2023, 08:19:42 PM
understood, but where in opnsense can i set what it identifiers the tunnel as outbound?   Would the image below be where I set the ID for outbound and for the remote side for the inbound?  As I said previously its worked with IP addr, but if I can set it as something else as you state then I can get it to auth with those IDs
Title: Re: IPSEC Connections IPV6
Post by: Patrick M. Hausen on August 09, 2023, 08:26:40 PM
Yes, ID is the field. You can set it to an IPv4 address even when using IPv6 for the actual connection. The ID and the IP address used need not be identical.

This is frequently the case with an IPsec gateway behind some NAT device. The peer IP address is the external address of the NAT. The ID is the internal IP address of the IPsec peer - or you set the ID at that peer to the external NAT address, then it is that.

IDs have to follow certain conventions, though. FQDNs, email addresses, IP addresses, X.509 distinguished names - IIRC that's it.
Title: Re: IPSEC Connections IPV6
Post by: danderson on August 09, 2023, 08:29:45 PM
perfect, thanks. I just found in the ASA on my remote side that it was set to IP, im going to set it to hostname and then change it on the opnsense side.
Title: Re: IPSEC Connections IPV6
Post by: danderson on August 09, 2023, 08:51:25 PM
ok so I got it working after i changed the remote ASA from IP to hostname then updated opnsense IDs accordingly.

As many use IP addresses, I think it would still be needed to fix the pre-shared keys page to allow IPV6 addresses, its most likely not liking the :'s or ::'s
Title: Re: IPSEC Connections IPV6
Post by: Patrick M. Hausen on August 09, 2023, 09:02:24 PM
Would you file an issue on github, please?
Title: Re: IPSEC Connections IPV6
Post by: danderson on August 09, 2023, 11:23:52 PM
Done

https://github.com/opnsense/core/issues/6727
Text only | Text with Images