I’ve got a bit of a head scratcher but I’m sure I just missed something obvious (I hope). It’s not critical since IPv4 to IPv4 tunnel works but once I got started on this I would really like to figure it out.
Setup:
pfSense Plus 23.09.1 IPSec tunnel to remote endpoint which is a Meraki MX67 on T-Mobile
IKEv2 Site to Site tunnel
Problem:
IPv4 to IPv4 works but I wanted to try transitioning to using IPv6 for the tunnel to pass IPv4 networks just to bypass some of the CG-NAT stuff from the Meraki side since it’s over T-Mobile.
IPv6 to IPv6 tunnel comes up and Phase 2 seems to exchange on both sides. When I try to ping from a network from pfSense side to the Meraki network the pings (and any traffic for that matter) just routes to pfsense and then out to the internet and gets dropped, it never tries to traverse the tunnel.
On the reverse path I can tcpdump and see the ping from the Meraki LAN side make it to my local device but all replies are just routed back out the default internet route on the pfsense side and never make it back to the Meraki side of things.
Is this policy based ipsec? If so double check your policy tables to see how traffic should be forwarded. Off hand I’m not sure if IPSEC’s ESP tunnel would allow IPv6 over IPv4, I’m thinking yes.
Otherwise you could setup a GRE tunnel over the IPSEC tunnel, and send traffic through that. Like all networking, you can solve almost every problem by adding more layers.
So one thing is I can’t seem to find the right command for pfsense to show the traffic forwarding for IPSec and whatnot.
I can do netstat to get the routes but that never shows the IPSec routes.
Edit:
Figured out it’s “setkey -DP” to show IPSec routes.
Will check on everything in a bit and see what that gives with the tunnel up.
Just FYI IPSec doesn’t normally use routes, instead it uses “policy”. Policy can match on source and destination IPs and act kind of like a second route table. Route based IPSec also has a “VTI mode” which uses the regular route table.
Yup, I’m used to slightly different syntax and found out it was setkey -DP that I needed
I brought up the IPv4 over IPv6 tunnel and compared to the IPv4 over IPv4 tunnel output with the command and it’s basically identical aside the endpoint addresses which makes sense. So it would seem something on pfsense is likely dropping outbound traffic if I had to guess but I’ll need to poke more and setup some logging rules to see if I can determine the cause.
