[4.5] Unable to connect using IPSEC over IPv6

Helmut Schneider
Tue, 15 Dec 2009 05:42:50 -0800

Hi,

I'm running a Windows 7 Domain Member connecting to a Windows 2008
Domain member. The connection is required to use IPSEC (AH). This also
applies to IPv6 connections.
While this works fine with IPv4 (the pf gateway is also an OpenVPN
gateway) it fails with IPv6. xl0 is the external, bge0 a internal
interface:


Dec 15 13:34:22.632360 rule 69/(match) pass in on xl0: $CLIENT >
$SERVER: frag (0|1232) 500 > 500:  isakmp v1.0 exchange ID_PROT
encrypted
        cookie: 583b9e29ae2a701f->f2257c7575eb8336 msgid: 00000000 len:
1692
Dec 15 13:34:22.632371 rule 69/(match) pass out on bge0: $CLIENT >
$SERVER: frag (0|1232) 500 > 500:  isakmp v1.0 exchange ID_PROT
encrypted
        cookie: 583b9e29ae2a701f->f2257c7575eb8336 msgid: 00000000 len:
1692
Dec 15 13:34:22.635340 rule 69/(match) pass in on xl0: $CLIENT >
$SERVER: frag (1232|468)
Dec 15 13:34:22.635349 rule 69/(match) pass out on bge0: $CLIENT >
$SERVER: frag (1232|468)
Dec 15 13:34:22.649843 rule 11/(match) block in on bge0: $SERVER >
$CLIENT: frag (0|1448) 500 > 500:  isakmp v1.0 exchange ID_PROT
encrypted
        cookie: 583b9e29ae2a701f->f2257c7575eb8336 msgid: 00000000 len:
1596
Dec 15 13:34:22.649854 rule 11/(match) block in on bge0: $SERVER >
$CLIENT: frag (1448|156)
Dec 15 13:34:23.632198 rule 69/(match) pass in on xl0: $CLIENT >
$SERVER: frag (0|1232) 500 > 500:  isakmp v1.0 exchange ID_PROT
encrypted
        cookie: 583b9e29ae2a701f->f2257c7575eb8336 msgid: 00000000 len:
1692
Dec 15 13:34:23.632211 rule 69/(match) pass out on bge0: $CLIENT >
$SERVER: frag (0|1232) 500 > 500:  isakmp v1.0 exchange ID_PROT
encrypted
        cookie: 583b9e29ae2a701f->f2257c7575eb8336 msgid: 00000000 len:
1692
Dec 15 13:34:23.639499 rule 69/(match) pass in on xl0: $CLIENT >
$SERVER: frag (1232|468)
Dec 15 13:34:23.639508 rule 69/(match) pass out on bge0: $CLIENT >
$SERVER: frag (1232|468)
Dec 15 13:34:23.640235 rule 11/(match) block in on bge0: $SERVER >
$CLIENT: frag (0|1448) 500 > 500:  isakmp v1.0 exchange ID_PROT
encrypted
        cookie: 583b9e29ae2a701f->f2257c7575eb8336 msgid: 00000000 len:
1596
Dec 15 13:34:23.640245 rule 11/(match) block in on bge0: $SERVER >
$CLIENT: frag (1448|156)

# pfctl -sr | egrep '(proto (ah|esp)|port = (500|isakmp))'
pass log quick inet6 proto tcp from any to any port = 500 flags S/SA
keep state
pass log quick inet6 proto udp from any to any port = isakmp keep state
pass log quick inet6 proto ah all keep state
pass log quick inet6 proto esp all keep state
# egrep '( (ah|esp|500))' /etc/pf.conf
pass quick log inet6 proto { tcp, udp } to any port 500 # ISAKMP
pass quick log inet6 proto { ah, esp} # AH, ESP
#

I don't see what's wrong here. I had not yet time to test this on 4.6.

Thanks, Helmut

Reply via email to