IPSec VTI to EdgeRouter

YoungPeach

Hey there!

I'm trying to set up an IPSec VTI To EdgeRouter and I'm having some trouble.

I've read through:
https://forum.netgate.com/topic/132970/ipsec-vti-tunnels
https://www.reddit.com/r/PFSENSE/comments/9gqy27/pfsense_244_rc_ipsecvti_tunnel_to_edgerouter_lite/
https://community.ubnt.com/t5/EdgeRouter/No-traffic-between-VTI-based-IPsec-pfSense-amp-EdgeRouter-4/m-p/2550383

And have installed the latest update to ensure the 0.0.0.0/0 route gets passed, but it seems the traffic from the VTI tunnel is not coming in on the ipsec6000 interface, but instead on the enc0 interface.

I have two VPNs to two different AWS VPCs using BGP and I'm trying to set up the router to use VTI to the pfSense. The following quick diagram is the network:

0_1541698241708_c50dcb0b-69dd-4131-8945-08bfbe4ee19a-image.png

The tunnel has come up just fine on both sides and I can see traffic coming from the EdgeRouter, but I cannot get traffic to return from the pfSense. The pfSense when pinging the router states "sendto: Network is down".

0_1541698347598_788be972-797c-4388-9c74-4817830cff1b-image.png

Packet Cap on enc0 while pinging from router - the filter is for the firewall address, the packets are router > firewall:
0_1541699098845_db66ff4d-fdbb-4e29-8448-ae202eea001f-image.png

Here's the config on pfSense:

Phase 1 - 0.0.0.0 as our endpoints are dynamic addressing:
0_1541698414484_983c3b4b-d164-4b4e-aef4-a238f03f1baa-image.png
0_1541698440010_8773f608-2291-444d-9420-414956e306e5-image.png

Phase 2:
0_1541698645897_d529dcf0-22cf-4299-a3f7-6198da5fb7aa-image.png
0_1541698694785_84b6f303-03a3-4f72-a436-c06f98a1c9fe-image.png

Interface:
0_1541698475740_1ef9c0b5-45c0-484e-95dc-53e3f5f85903-image.png

Route exists (.1 is firewall, .2 is router)
0_1541698750765_171d90fc-e290-4db3-9fa0-a189c4303577-image.png

IPSec Status:
0_1541698810843_eeb07c80-645c-4ff6-8509-2f36177b5c35-image.png

EdgeRouter Config (this editor is removing the tabs from config FYI so I had to use a snip):
0_1541699394534_3ed2deb8-05b2-438b-8f87-3f5800bd45b3-image.png

0_1541699440814_ce466e7f-3dec-410f-86a9-a9a72c32a934-image.png

EdgeRouter SA:
router:~$ show vpn ipsec sa
peer-x.x.x.x-tunnel-vti: #1, ESTABLISHED, IKEv2, c895d3a75e6e4420:90d85a4da8e97efa
local 'x' @ x.x.x.x
remote 'x' @ x.x.x.x
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 366s ago, rekeying in 85359s, reauth in 84810s
peer-x.x.x.x-tunnel-vti: #1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_MD5_96
installed 366 ago, rekeying in 41775s, expires in 42834s
in c4efe5c3, 0 bytes, 0 packets
out c475dda7, 33456 bytes, 400 packets, 0s ago
local 0.0.0.0/0
remote 0.0.0.0/0

Any help would be appreciated! I have a little over 200 sites to deploy. :)

YoungPeach

correction:

And have installed the latest update to ensure the 0.0.0.0/0 route gets passed, but it seems the traffic from the VTI tunnel is not coming in on the ipsec6000 interface, but is on the enc0 interface.

The documentation states the OS should see traffic on both interfaces.

YoungPeach

Upon further investigation I've noticed the following:

0_1541778315703_30b8630c-5c3e-4452-a284-e5028ed51851-image.png

The interface is not showing a 'running' status, which explains my problem. Now to find out how to resolve it.

YoungPeach

To answer my own question now:

VTI tunnels cannot be set up with 0.0.0.0 as the remote peer, you must use an IP address or domain name.