IPSEC Connections IPV6

Started by danderson, August 09, 2023, 07:46:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 09, 2023, 07:46:01 PM Last Edit: August 09, 2023, 07:48:32 PM by danderson
So I have this working fine for V4 and dynamic DNS names, but its giving me an error the identifier contains invalid characters in PSKs for V6 addresses.
August 09, 2023, 07:49:57 PM #1
The identifier does not need to be the actual IP address used. You can use an FQDN or in fact "anything" as long as both ends agree what their respective identifiers are.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 09, 2023, 07:57:52 PM #2
ok, then on my 1 remote side (ASA) i have to figure out how to change the ident it sends or on the opnsense side if I can change what it sends/change what it expects.
August 09, 2023, 08:11:32 PM #3
Sorry not to be more specific but I have yet to set up my first IPv6 IPsec tunnel myself. I just happen to know that you can use e.g. hostmaster@company1.com and hostmaster@company2.com as identifiers if both sides agree.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 09, 2023, 08:19:42 PM #4
understood, but where in opnsense can i set what it identifiers the tunnel as outbound?   Would the image below be where I set the ID for outbound and for the remote side for the inbound?  As I said previously its worked with IP addr, but if I can set it as something else as you state then I can get it to auth with those IDs
August 09, 2023, 08:26:40 PM #5
Yes, ID is the field. You can set it to an IPv4 address even when using IPv6 for the actual connection. The ID and the IP address used need not be identical.

This is frequently the case with an IPsec gateway behind some NAT device. The peer IP address is the external address of the NAT. The ID is the internal IP address of the IPsec peer - or you set the ID at that peer to the external NAT address, then it is that.

IDs have to follow certain conventions, though. FQDNs, email addresses, IP addresses, X.509 distinguished names - IIRC that's it.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 09, 2023, 08:29:45 PM #6
perfect, thanks. I just found in the ASA on my remote side that it was set to IP, im going to set it to hostname and then change it on the opnsense side.
August 09, 2023, 08:51:25 PM #7
ok so I got it working after i changed the remote ASA from IP to hostname then updated opnsense IDs accordingly.

As many use IP addresses, I think it would still be needed to fix the pre-shared keys page to allow IPV6 addresses, its most likely not liking the :'s or ::'s
August 09, 2023, 09:02:24 PM #8
Would you file an issue on github, please?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 09, 2023, 11:23:52 PM #9
Print
Go Up Pages1
User actions