Anyone using VTI with ASR1000 on other end
-
I think the issue that routing based vpn like vti left and right subnet should be set 0.0.0.0/0 not vti ip address
that break the tunnel
in config set
rightsubnet = 192.168.252.2
leftsubnet = 192.168.252.1/30
that incorrect tunnel will be never established because ipip is on top vti and based on encrypted domain ip addresses where normally it public ip's from side A and side B.From 192.168.252.2 icmp_seq=2 Destination Host Unreachable
I am trying vti tunnel with ubnt edge pro router.
PFSENSE devs please confirm. -
Try with this patch:
https://redmine.pfsense.org/issues/8859#note-9
I'd also be curious to know if it hurts your other working setups in any way. I don't expect it to, I haven't seen any negative side effects thus far, but I haven't seen enough feedback to be confident in it yet.
-
Thank you let me apply patch
in order avoid overlap or conflict you have to use pass through for local subnet
conn dev-host
type=passthrough
authby=never
left=my lan subnet list
right=my lan subnet list
auto=route -
You should not need any of that with VTI, just the stock lines + this patch that adds 0.0.0.0/0 both ways.
-
Is it possible set just 0.0.0.0/0 ?
In config I seerightsubnet = 192.168.252.2,0.0.0.0/0 leftsubnet = 192.168.252.1/30,0.0.0.0/0
-
FreeBSD requires the VTI endpoints be there. Without that, it doesn't work, even with just
0.0.0.0/0
. That's the smallest possible set I could get to work. -
Ok, but it not resolve the issue. Vti still not coming up.
volga629@canlrt01:~$ ping 192.168.252.1
PING 192.168.252.1 (192.168.252.1) 56(84) bytes of data.
From 192.168.252.2 icmp_seq=1 Destination Host Unreachable
From 192.168.252.2 icmp_seq=2 Destination Host Unreachable
From 192.168.252.2 icmp_seq=3 Destination Host Unreachable
From 192.168.252.2 icmp_seq=4 Destination Host Unreachable
^C
--- 192.168.252.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 2997ms -
There is already a different thread for problems with ubnt/edgerouters though, if you need help, post there or start a thread of your own. This one is specifically for an ASR1000
-
Testing patch from https://redmine.pfsense.org/attachments/2624/ipsec-vti-0.0.0.0.diff now :)
-
@jimp Good to go against ASR1000 with that patch - tunnel is no longer bouncing. There's a secondary tunnel on the same box not coming up, but I think that's on their side (P1 up, P2 not returning any traffic though pings are going out).
Regardless, I'll drop in next week after our maintenance window to let you know if they've fixed it.
I don't have a good test case against other ipsec site-to-site or mobile tunnels on this test box - the only one with those is on prod :) I will do my best to spin something up on this so that you can be more confident in the patch going into -p1 :)
Thanks Jim!