trying to get vti mode working between two pfS units (2.4.4-RELEASE-p3)
-
I have two pfS units configured with a tunnel using VTI mode.
Unit 1
<ipsec> <client></client> <phase1> <ikeid>1</ikeid> <iketype>ikev2</iketype> <interface>wan</interface> <remote-gateway>edge.xxxxxxxxxxx.xxx</remote-gateway> <protocol>inet</protocol> <myid_type>myaddress</myid_type> <myid_data></myid_data> <peerid_type>peeraddress</peerid_type> <peerid_data></peerid_data> <encryption> <item> <encryption-algorithm> <name>aes</name> <keylen>128</keylen> </encryption-algorithm> <hash-algorithm>sha256</hash-algorithm> <dhgroup>14</dhgroup> </item> </encryption> <lifetime>28800</lifetime> <pre-shared-key>123</pre-shared-key> <private-key></private-key> <certref></certref> <caref></caref> <authentication_method>pre_shared_key</authentication_method> <descr></descr> <nat_traversal>on</nat_traversal> <mobike>off</mobike> <margintime></margintime> <dpd_delay>10</dpd_delay> <dpd_maxfail>5</dpd_maxfail> </phase1> <phase2> <ikeid>1</ikeid> <uniqid>5de457ba59a13</uniqid> <mode>vti</mode> <reqid>1</reqid> <localid> <type>network</type> <address>10.254.254.2</address> <netbits>30</netbits> </localid> <remoteid> <type>address</type> <address>10.254.254.1</address> </remoteid> <protocol>esp</protocol> <encryption-algorithm-option> <name>aes</name> <keylen>128</keylen> </encryption-algorithm-option> <hash-algorithm-option>hmac_sha256</hash-algorithm-option> <pfsgroup>14</pfsgroup> <lifetime>3600</lifetime> <pinghost></pinghost> <descr></descr> </phase2> </ipsec>
Unit 2
<ipsec> <logging> <dmn>1</dmn> <mgr>1</mgr> <ike>1</ike> <chd>1</chd> <job>1</job> <cfg>1</cfg> <knl>1</knl> <net>1</net> <asn>1</asn> <enc>1</enc> <imc>1</imc> <imv>1</imv> <pts>1</pts> <tls>1</tls> <esp>1</esp> <lib>1</lib> </logging> <client></client> <phase1> <ikeid>1</ikeid> <iketype>ikev2</iketype> <interface>wan</interface> <remote-gateway>117xxxxxxxxxxxxxxxxxxxxx</remote-gateway> <protocol>inet</protocol> <myid_type>myaddress</myid_type> <myid_data></myid_data> <peerid_type>peeraddress</peerid_type> <peerid_data></peerid_data> <encryption> <item> <encryption-algorithm> <name>aes</name> <keylen>128</keylen> </encryption-algorithm> <hash-algorithm>sha256</hash-algorithm> <dhgroup>14</dhgroup> </item> </encryption> <lifetime>28800</lifetime> <pre-shared-key>123</pre-shared-key> <private-key></private-key> <certref></certref> <caref></caref> <authentication_method>pre_shared_key</authentication_method> <descr></descr> <nat_traversal>on</nat_traversal> <mobike>off</mobike> <margintime></margintime> <dpd_delay>10</dpd_delay> <dpd_maxfail>5</dpd_maxfail> </phase1> <phase2> <ikeid>1</ikeid> <uniqid>5de45728c26ca</uniqid> <mode>vti</mode> <reqid>1</reqid> <localid> <type>network</type> <address>10.254.254.1</address> <netbits>30</netbits> </localid> <remoteid> <type>address</type> <address>10.254.254.2</address> </remoteid> <protocol>esp</protocol> <encryption-algorithm-option> <name>aes</name> <keylen>128</keylen> </encryption-algorithm-option> <hash-algorithm-option>hmac_sha256</hash-algorithm-option> <pfsgroup>14</pfsgroup> <lifetime>3600</lifetime> <pinghost></pinghost> <descr></descr> </phase2> </ipsec>
I get the following on both units.
Also, I have the interfaces assigned on both units, but they don't show up on the Firewall Rules page.
The gateways that are created automatically are not green either.
If I configure a traditional tunnel (not vti) everything works as expected.
-
I also see
querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
-
They don't show up in the firewalls section as interfaces.
You just write rules inside the 'ipsec" section.
SiteA to SiteB
SiteA out from LAN to SiteB - write firewall rules under LAN
SiteA in from SiteB to SiteA LAN - write firewall rules under IPSEC -
I'm pretty sure in VTI mode, they are supposed to show up as interfaces. I have already assigned them and they do show up under Status->Interfaces.
-
@coreybrett
PF uses an enc0 interface to filter all ipsec traffic. (classic ipsec tunnel, VTI).em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 08:00:27:7e:d9:81 hwaddr 08:00:27:7e:d9:81 inet6 fe80::a00:27ff:fe7e:d981%em1 prefixlen 64 scopeid 0x2 inet 10.3.100.1 netmask 0xffffff00 broadcast 10.3.100.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active enc0: flags=41<UP,RUNNING> metric 0 mtu 1536 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: enc
Therefore, all filtering rules are created on the IPSEC tab ( including for VTI).