IPsec VTI with Dynamic Peer

packetsar

I'm setting up a VTI-IPSec tunnel between PFSense-A which has a static public IP, and PFSense-B which is behind a NAT (and the NAT has a dynamic IP).

So PFSense-B has it's phase-1 settings using 0.0.0.0 as the Remote Gateway, uses "Any" for the Peer identifier, and is set to Responder Only for the Child SA Start Action

If I use the above settings and create a phase-2 VTI, the tunnels will come up, the ipsec interface will show online, and routes will install into the routing table on both sides, but PFSense-A (the one with the dynamic peer configured) will never send any traffic over out its ipsec interface. Both sides show packets moving one way, and both agree none ever go the other way.

If I create a regular non-VTI phase-2, everything works as expected.

If I use dynamic DNS so PFSense-A and use a DNS name as its neighbor, everything works fine.

Is this a limitation for VTIs on PFSense? Or did I hit a bug?

PFSense-A Version: 2.6.0
PFSense B Version: 23.05.1

jimp

That is expected and noted in the GUI:

There is also more detail in the docs:

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure-p1.html#ike-endpoint-configuration