Running some packet captures while pinging v4 and v6 from an internal host to a remote internal host (not from pfSense to pfSense):
Capturing on destination WAN while pinging IPv4, get ESP packets. Capturing on destination WAN while pinging IPv6, no packets incoming. Which I could confirm by: Capturing on source WAN while pinging IPv4, ESP packets moving. Capturing on source WAN while pinging IPv6, no ESP packets. So whatever issue I have is related to IPv6 packets somehow not engaging through the tunnel. Would the presence of NPt for these fd00::/64 and fd01::/64 I use on LANs both ends somehow impact this? -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om > Le 1 mai 2016 à 15:24, Olivier Mascia <[email protected]> a écrit : > >> Le 1 mai 2016 à 10:35, Olivier Mascia <[email protected]> a écrit : >> >>> That page is a little out of date in one respect: You can't mix traffic >>> with IPsec using IKEv1, but you can with IKEv2. So long as both sides >>> support IKEv2 you can carry IPv6 and IPv4 in P2 entries. >>> >>> FWIW, You can also tunnel both at once using OpenVPN. >> > > I'm busy testing that but my IPv6 traffic doesn't cross the tunnel. > On Status / IPsec I'm seeing this, having defined two phase2 (one tunnel IPv4 > and one tunnel IPv6): > > 10.0.0.0/16 Local: cb9f5c9f 10.1.1.0/24 Rekey: 694 seconds > (00:11:34) AES_GCM_16 Bytes-In: 5,376 (5 KiB) > fd00::/64 Remote: cd70616c fd01::/64 Life: 1495 seconds > (00:24:55) Packets-In: 64 > Install: 2106 seconds > (00:35:06)IPComp: none Bytes-Out: 13,768 (13 KiB) > > Packets-Out: 105 > As far as *I* can tell, it looks fine. > The remote and local subnets are fine (match my LAN subnets). Of course I > have checked that I see the same thing reversed on the other end. On firewall > rules, IPSEC interface, I currently have two pass-through rules, one for IPv4 > and one for IPv6. > > The other rules needed are supposedly added by pfSense (without displaying > them) as System / Advanced / Firewall - Disabled auto-added VPN rules is NOT > checked. > > But are those auto-added suitable for passing both IPv4 and IPv6 inside the > tunnel? > > Phase1 is setup using IPv4 / IKEv2. > One Phase2 is tunnel IPv4 and the other is tunnel IPv6. > > One end is 2.3-REL, the other one is 2.2.2-REL (which I cannot upgrade for > the time being). > > Would someone have an idea, based on their own experience with IPsec and both > IPv4+IPv6, of what wrong in my setup to look for? > > So much thanks for the help, > -- > Meilleures salutations, Met vriendelijke groeten, Best Regards, > Olivier Mascia, integral.be/om > > > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
