[WORKAROUND] IPSEC using ipv6 address altough ipv4 selected

Started by Arvoreen, September 19, 2015, 10:19:57 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 19, 2015, 10:19:57 AM Last Edit: September 20, 2015, 08:47:29 AM by franco
Hello,

it seems to me that if you enter a DNS name for the Remote gateway and this resolves to an ipv4 and ipv6 address it uses the ipv6 address even if you selected ipv4 as internet protocol on phase1

Sincerely
Pol Bettinger
September 19, 2015, 01:24:04 PM #1
Hi Pol,

can you try enabling "System: Settings: Networking: Prefer to use IPv4 even if IPv6 is available" and see if that helps?


Cheers,
Franco
September 20, 2015, 03:29:41 AM #2
Hello,

yes that works too.
I already helped myself by using the IP instead of the DNS.

Sincerely
Pol Bettinger
September 20, 2015, 08:47:17 AM #3
Ok, that is good to hear. It may be an arms race, prefering IPv6 may have other side effects down the road. Safest way would be to have a IPv6-only entry on the domain name, but that may also be out of your hands.

I will discuss with Ad if there is a solution that could be applied to IPSec handling to automatically prevent that from happening in the future, although I must say picking a DNS entry is not the IPSec daemons job as this might be handled by a system library.
September 20, 2015, 03:33:58 PM #4
Yes I understand the problem I also tested this on strongswan between two of my servers and saw clearly that there it also uses ipv6 when I am using the DNS names.

So for me I think the main problem is that in OPNSense you can chose ipv4 or ipv6 while configuring IPSEC but I don't see why it could be good for, as for me at first sight it doesn't have an effect on anything.

Sincerly
Pol Bettinger
September 20, 2015, 04:33:21 PM #5
It's used as a means to verify the remote gateway IP and the Phase 2 tunnel mode. Other than that, it's irrelevant. The only benefit I see is avoiding a few configuration errors although using a hostname as you described subverts all of this checking anyway.

Not sure how to proceed. Maybe Ad can say whether ditching this has any bad side effects or not.
September 20, 2015, 08:39:44 PM #6
I either doesn't have the ultimate solution to it.

Because I selected IPv4 I felt safe that it does the connection using IPv4 :-)

Perhaps a dns check of the remote host if IPv4 is selected might help and display a warning if the dns resolves then to an ipv6. (same in inverse logic if ipv6 is selected)

Sincerely
Pol Bettinger
Print
Go Up Pages1
User actions