• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Windows Server 2008 R2; Ipsec blocking v6 in v4 tunnel

Started by enigma2e, April 03, 2010, 01:32:51 PM

Previous topic - Next topic


I have a static IPv6 tunnel allocated here at he, and I was able to initially set it up with Windows Server 2003. It worked great and i was able to work my way up to sage certification. Now i have upgraded my router to windows server 2008 r2, and the tunnel does not work at all. I was completely confused as to why at first until I enabled ipsec event logging, and I saw this event in there when I attempted to ping my endpoint from an external IPv6 ping website:

IPsec dropped an inbound clear text packet that should have been secured. If
the remote computer is configured with a Request Outbound IPsec policy, this
might be benign and expected.  This can also be caused by the remote
computer changing its IPsec policy without informing this computer. This
could also be a spoofing attack attempt.

Remote Network Address:
Inbound SA SPI:        0
Then immediately after that event...
The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID:  0
Application Name: -

Network Information:
Direction:  Inbound
Source Address:
Source Port:  0
Destination Address:
Destination Port:  0
Protocol:  41

Filter Information:
Filter Run-Time ID: 104505
Layer Name:  Transport
Layer Run-Time ID: 12
------------------------------------- is the ip address of the remote end of my ipv6 tunnel supplied by he.

I am also completely unable to send *any* IPv6-in-IPv4 packets. they dont
show up in wireshark, thye dont show up in event log. its like it was never

Obviously windows is blocking any ipv6-in-ipv4 traffic because its not
encrypted. he of course doesnt support ipsec auth or enc on the tunnels because
its really not needed.

So my question is how do i get windows to allow this tunnel to this endpoint
to NOT have to be encrypted/authenticated by ipsec? how do i tell IPSec to ignore
these packets?


First I've ever heard of this.  I wouldn't think windows would require IPSEC for a 6in4 tunnel.

I suggest blowing away the tunnel config and recreating it.  If that doesn't help, poke around in netsh and see if u can find IPSEC settings.  Maybe it set up an IPSEC SA config for your 6in4 traffic for some reason.


It also looks like this is a setting that can be changed in AD...if you're running AD, you might want to check your GPO's


So I checked out the netsh ip sec-related commands, they require an awful lot of information that doesnt seem relevant, like encryption and authentication type. Then i looked at the AD GPO's as applied to server hosting my end of teh tunnel, i tried to create an unencrypted tunnel, however i was unable to remove the requirement for authentication. So of course the problem still stands.
Im guessing the issue is that the IPSec driver in 2k8r2 is recognizing ip6-in-ip4 (protocol 41) as traffic that it should handle instead of just leaving it alone. Evidently this *has* to be a setting somewhere, but i cant find it.
Any ideas short of single-stepping ipsec in kernel-debug-mode to see where its reading the setting from?


Not sure.  Look through the RRAS setup maybe?  This is the first time I've heard of this happening!


I tried adding an IPsec filter/policy/whatever, and it almost looks good until i get to the last thing. Turning off authentication. There is no way it will let me disable authentication completely. It wants to use Kerberos by default, but H.E. tunnels arent authenticated.

Alas it looks like my only option at this point is to disassemble ipsec kernel mode and see what is triggering it to think it has to drop this packet.


So I completely reinstalled.
I formatted the hard disk and installed Windows Server 2008 R2 Enterprise x64 completely new.
It still does it.
I am completely at a loss. How can I be the only person experiencing this?
Is it because I get my internet via PPPoE through RRAS ?
I have no idea whats going on anymore...


Quote from: enigma2e on April 11, 2010, 04:58:21 PM
So I completely reinstalled.
I formatted the hard disk and installed Windows Server 2008 R2 Enterprise x64 completely new.
It still does it.
I am completely at a loss. How can I be the only person experiencing this?
Is it because I get my internet via PPPoE through RRAS ?
I have no idea whats going on anymore...
That's really bizarre.  You'd think the PPPoE/RRAS wouldn't make a difference, but perhaps that's the problem.  I'd put in a tech support call with MS, or post on a Windows oriented forum and ask for help there.  Perhaps even the ipv6-ops mailing list.  Maybe someone else has gone through this dance.

If all else fails, you could always stand up a separate IPv6 tunnel router.    Either in parallel to your Windows router box, or behind it using a NATed IPv4 address.  A linux or BSD box work well, and you could even do it in a VM if you run in a VM environment.


Well jimb, i took your idea and ran with it.

I created a virtual machine bound to the external interface of my 2k8r2 box. That virtual machine connects to my ISP via PPPoE and takes the IPv4 packets out and places them on the wire for the external interface. It also takes the ipv6 packets out of the ipv4 packets and places them on the wire too. Through this my 2k8r2 box now has been given Native, IPv6-over-Ethernet connectivity and the issue no longer exists. Hurrah!

Quick-and-dirty network diagram:

ISP ----- DSL Modem ----- VirtualMachine ----- Real Machine
      DSL                 Ethernet                  Ethernet
      ATM                 PPPoE                        IPv4
     Ethernet              IPv4
      PPPoE                IPv6                      Ethernet
       IPv4                                                IPv6


That's great.  What did you wind up using in the VM?  Another copy of win2k8 server?  I did a similar thing for a friend who has FiOS.  He has a big Core i7 VM box running win2k8 and Hyper-V, and he has an Ubuntu server running under it for web servers and such.  I set up an HE tunnel to that VM and it works great


Unless you've allowed IPv6 ping through the firewall, you won't be able to ping the server...Ping replies are blocked by default.
To turn on, look in "Windows Firewall with advanced settings" or something like that


You can specify an IPv4 or IPv6 address. You must specify one end of each side of the tunnel and the protocol address of the version should be the same for both sides. That is, if you specify an IPv6 address for the source side of the tunnel, then you must also use an IPv6 address for the remote side of the tunnel.For each rule, you must also specify the actions of filtering methods authentication, and other settings.