OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: kotashiratsuka on February 17, 2022, 12:28:37 pm
-
I am using it with ONsense and tunnelbroker.net on a VM on XCP-ng.
The client uses the IKEv2 feature of macOS/iOS/iPadOS
IPv4 IKEv2 Road Warier over IPv4/IPv6 Dual Stack Tunnel was working fine until 21.7.8
VPN is up on 22.1 and 22.1.1, but ICMP is not passing and no communication is possible
In 22.1, the client gets the IPv6 address, but the ping doesn't go through.
21.7.8 passes and communication is fine.
Firewall: Log Files: Live View
The packet seems to pass through OPNsense, but there is no response.
any hint?
-
Hi,
did you find a solution for this issue? i hope this is not really an issue with 22.1, i use dualstack ikev2 road warrior in production and plan to hop on 22.1 on the next minor update.
-
No, 22.1.1 does not solve the problem.
Rolled back the OPNsense VM from Snapshot to 21.7.8 and it is working fine on 21.7.8
I also checked the difference in routing tables between 22.1 and 21.7.8, and there was no problem.
I hope this problem will be solved.
-
Hi,
i just did an upgrade on one of my private OPNsense installations and made my Mobile IKEv2 Dual Stack, no issues on my end, Windows and Android devices getting IPv4 and IPv6 and IPv6 is working fine.
-
I tried to set it up from the beginning, but still only v6 does not pass the icmp.
But I did notice something odd.
When I connect the VPN client from the LAN side of the router, it returns an icmp
If I switch my iPhone to a 4G/LTE network and go through the WAN, it still doesn't seem to be able to communicate!
Perhaps it is not pf but routing that is causing the problem.
I don't know the cause yet.
-
I tried with 22.1.2 and the development version, but still icmp does not reach only v6 as well
But while changing the settings, I noticed something odd.
Change any of the interface options in the WebGUI and apply them, and icmp will pass!
Or, at the console, you can use the
11) Reload all services
the icmp goes through with no problem, and the actual IPv6 communication is fine!
If you reboot and do not perform this procedure manually the problem will not be solved
Why?
-
I upgraded to 22.1.3 and the problem is still there!
I tried setting it to IPv4 over IPv6 phase 2 tunnel only, but icmp still does not go through
-
I raised it to 22.1.4 and revalidated it.
IPv6 is still not available only
I raised the debug level and investigated the logs
[KNL] <con1|1> installing route failed: 2001:AAAA:BBBB:5::1/128 via <ISP Upstrem> src %any6 dev pppoe0
[KNL] <con1|1> adding PF_ROUTE route failed: Invalid argument
adding PF_ROUTE route failed
I have looked up various descriptions of this error
https://wiki.strongswan.org/issues/3285
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678
https://github.com/strongswan/strongswan/issues/275
This will be fixed in 13.1-RELEASE?
But what I wonder is that the same error appears in 21.7.8, but the communication itself is fine.
I also thought it might be a strongswan issue, so I ran pkg create strongswan on 21.7.8, then pkg install and restart on 22.1.4... same problem, only IPv6 was not available.
On the contrary, strongswan-5.9.4 works fine on 21.7.8
It may still be a problem with FreeBSD 13.0
-
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678 is already included in 22.1.x as we use 13-STABLE.
It would make sense to try and respond there that IPv6 might not be fixed?
Cheers,
Franco
-
Over the last few days I've done quite a bit of research in ipsec.conf and debug logs, and while I can't be sure, I have a feeling it's a FreeBSD 13 and Strongswan issue.
I'm thinking of waiting a bit to see if the problem resolves itself.
-
Over the last few days I've done quite a bit of research in ipsec.conf and debug logs, and while I can't be sure, I have a feeling it's a FreeBSD 13 and Strongswan issue.
I'm thinking of waiting a bit to see if the problem resolves itself.