1.8b Development

Hi there

I found an Issue with IPsec & IPv6.

If you reboot the m0n0wall or you have power lost, the IPsec for IPv6 comes not up again automaticly.
When you have a look a diagnostic page "IPsec", in Tab "SPD", you don't see any IPv6 subnets.

After you editing your IPv6 IPsec Tunnel and apply, the tunnel comes up & works fine again.

I'm currently use the version 1.8.1b545.

Thank you for fixing this Issue & if you have questions feel free to ask me.

Regards,
Christian

What type of ipv6 do you have ? SixXS or 6to4 or other ?

Are there errors in the log and if you reapply your config does it work until reboot ?

How is the other side handling older certificates?

I'm sorry I forgot to provide my IPsec configurations:

remote 2001:xy:zy:ac::2 {
   exchange_mode main;
   my_identifier address "2001:xy:yz:83::2";


   peers_identifier address 2001:xy:zy:ac::2;
   initial_contact on;
   support_proxy on;
   proposal_check obey;
   dpd_delay 30;

   proposal {
      encryption_algorithm aes;
      hash_algorithm sha1;
      authentication_method pre_shared_key;
      dh_group 2;
      lifetime time 86400 secs;
   }
   lifetime time 86400 secs;
}

sainfo address 2001:xy:yz::/64 any address 2001:xy:zy::/64 any {
   encryption_algorithm rijndael;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate;
}

With PSK.

What type of ipv6 do you have ? SixXS or 6to4 or other ?

Are there errors in the log and if you reapply your config does it work until reboot ?

I'm currently use SixXS.
Logs coming soon.

How is the other side handling older certificates?

the other is handling same as my m0n0wall it does. But there is no certificates 'cause I'm using PSK.

Thanks

I'm wondering if IPSec is starting too soon for SixXS

There is a certificate (or key, or psk) negotiated every time.  That is what the lifetime is all about. Now if you reboot, you create a new thingamobob. (psk)  And if the other side is not ready to accept it, you have to bounce the connection to start new.  Look into DPD (dead peer detection) on the other side.

Guys I'm sorry but you don't understand what exactly is the issue.

After I reboot my m0n0wall there is NO SPD with IPv6 addresses but all other tunnnels with IPv4 are present.
There is no issue with DPD or so on.

If I reapply one of my IPv6 tunnels setting then all IPv6 SPD's are present.

As I understand IPsec it is needing to software two parts: racoon & setkey
I think setkey isn't working right.
 

The code that does VPN setup is the same when you reapply the config or restart

The boot up process calls the code that configures the VPN the same as hit the apply button

That is why I suspect it could be a Sequence problem , that the VPN code is executing before your SixXS tunnel is active , and set key will fail.

I'm not in a position to look at code right now, but your logs may help

So... let's providing my log after boot:

Code:

Aug 6 07:51:24 racoon: [2001:x:y:z::2] ERROR: failed to bind to address 2001:x:y:z::2[4500] (Can't assign requested address).
Aug 6 07:51:24 racoon: ERROR: privsep_bind (Can't assign requested address) = -1
Aug 6 07:51:24 racoon: [2001:x:y:z::2] ERROR: failed to bind to address 2001:x:y:z::2[500] (Can't assign requested address).
Aug 6 07:51:24 racoon: ERROR: privsep_bind (Can't assign requested address) = -1
Aug 6 07:51:24 rtadvd[201]: configuration file reloaded.
Aug 6 07:51:24 rtadvd[201]: <loadconfig_ifname> gif0 is not a target interface. Ignored at this moment.
Aug 6 07:51:24 rtadvd[201]: <loadconfig_ifname> bridge0 is not a target interface. Ignored at this moment.
Aug 6 07:51:24 rtadvd[201]: <loadconfig_ifname> vlan0 is not a target interface. Ignored at this moment.
Aug 6 07:51:24 rtadvd[201]: <loadconfig_ifname> lo0 is not a target interface. Ignored at this moment.
Aug 6 07:51:24 rtadvd[201]: <loadconfig_ifname> enc0 is not a target interface. Ignored at this moment.
Aug 6 07:51:24 rtadvd[201]: <loadconfig_ifname> em3 is not a target interface. Ignored at this moment.
Aug 6 07:51:24 rtadvd[201]: <loadconfig_ifname> em2 is not a target interface. Ignored at this moment.
Aug 6 07:51:24 rtadvd[201]: <loadconfig_ifname> em1 is not a target interface. Ignored at this moment.
Aug 6 07:51:24 racoon: [fe80:9::200:24ff:fece:80d0] ERROR: failed to bind to address fe80:9::200:24ff:fece:80d0[4500] (Can't assign requested address).
Aug 6 07:51:24 racoon: ERROR: privsep_bind (Can't assign requested address) = -1
Aug 6 07:51:24 racoon: [fe80:9::200:24ff:fece:80d0] ERROR: failed to bind to address fe80:9::200:24ff:fece:80d0[500] (Can't assign requested address).
Aug 6 07:51:24 racoon: ERROR: privsep_bind (Can't assign requested address) = -1
Aug 6 07:51:24 rtadvd[118]: gracefully terminated.
Aug 6 07:51:24 rtadvd[118]: gracefully terminated.
Aug 6 07:51:24 rtadvd[118]: waiting expiration of the all RA timers.
Aug 6 07:51:24 rtadvd[118]: final RA transmission started.
Aug 6 07:51:24 rtadvd[118]: final RA transmission started.
Aug 6 07:51:24 rtadvd[118]: <loadconfig_ifname> gif0 is not a target interface. Ignored at this moment.
Aug 6 07:51:24 rtadvd[118]: interface added (idx=9)
Aug 6 07:51:24 rtadvd[118]: interface added (idx=9)
Aug 6 07:51:24 sixxs-aiccu: AICCU running as PID 190
Aug 6 07:51:24 sixxs-aiccu: Succesfully retrieved tunnel information for T37177
Aug 6 07:51:23 racoon: INFO: fe80:7::200:24ff:fece:80d0[4500] used as isakmp port (fd=27)
Aug 6 07:51:23 racoon: INFO: fe80:7::200:24ff:fece:80d0[500] used as isakmp port (fd=26)
Aug 6 07:51:23 racoon: INFO: fe80:6::1[4500] used as isakmp port (fd=25)
Aug 6 07:51:23 racoon: INFO: fe80:6::1[500] used as isakmp port (fd=24)
Aug 6 07:51:23 racoon: INFO: ::1[4500] used as isakmp port (fd=23)
Aug 6 07:51:23 racoon: INFO: ::1[500] used as isakmp port (fd=22)
Aug 6 07:51:23 racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=21)
Aug 6 07:51:23 racoon: INFO: 127.0.0.1[4500] used for NAT-T
Aug 6 07:51:23 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=20)
Aug 6 07:51:23 racoon: INFO: 127.0.0.1[500] used for NAT-T
Aug 6 07:51:23 racoon: INFO: 217.x.y.z[4500] used as isakmp port (fd=19)
Aug 6 07:51:23 racoon: INFO: 217.x.y.z[4500] used for NAT-T
Aug 6 07:51:23 racoon: INFO: 217.x.y.z[500] used as isakmp port (fd=18)
Aug 6 07:51:23 racoon: INFO: 217.x.y.z[500] used for NAT-T
Aug 6 07:51:23 racoon: INFO: fe80:2::200:24ff:fece:80d1[4500] used as isakmp port (fd=17)
Aug 6 07:51:23 racoon: INFO: fe80:2::200:24ff:fece:80d1[500] used as isakmp port (fd=16)
Aug 6 07:51:23 racoon: INFO: fe80:1::1[4500] used as isakmp port (fd=15)
Aug 6 07:51:23 racoon: INFO: fe80:1::1[500] used as isakmp port (fd=14)
Aug 6 07:51:23 racoon: INFO: 2001:x:y::1[4500] used as isakmp port (fd=13)
Aug 6 07:51:23 racoon: INFO: 2001:x:y::1[500] used as isakmp port (fd=12)
Aug 6 07:51:23 racoon: INFO: 10.11.1.1[4500] used as isakmp port (fd=11)
Aug 6 07:51:23 racoon: INFO: 10.11.1.1[4500] used for NAT-T
Aug 6 07:51:23 racoon: INFO: 10.11.1.1[500] used as isakmp port (fd=10)
Aug 6 07:51:23 racoon: INFO: 10.11.1.1[500] used for NAT-T
Aug 6 07:51:23 racoon: INFO: fe80:1::200:24ff:fece:80d0[4500] used as isakmp port (fd=9)
Aug 6 07:51:23 racoon: INFO: fe80:1::200:24ff:fece:80d0[500] used as isakmp port (fd=8)
Aug 6 07:51:23 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Aug 6 07:51:23 racoon: INFO: @(#)This product linked OpenSSL 0.9.8q 2 Dec 2010 (http://www.openssl.org/)
Aug 6 07:51:23 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)