Interface (ipsec6000) not being added for VTI tunnel
-
I have two 2.4.5 firewalls connected with IPSec tunnels. On both ends there is an interface assigned so that I can monitor traffic. This assignment was done using interfaces_assign.php
On one of the sides ipsec6000 is not created and does not come up. It shows up as down on status_interfaces.php, but does not show up when running ifconfig from console. The interface can not be pinged.
I have tried deleting the tunnel and recreating it to make sure there was nothing left from before, but that does not change anything.
This may be related to https://forum.netgate.com/topic/152179/ipv4-vti-tunnel-set-network-mask, but I don't think it is as it only shows up on one end.
-
Are there any errors in the system log which refer to
ifconfig
oripsec6000
? The6000
is based on the VPN ID so that may not match on both sides. -
Nothing that seems obvious to me :
Apr 7 15:11:25 71117 /interfaces.php: The command '/sbin/ifconfig 'ipsec6000' -staticarp ' returned exit code '1', the output was 'ifconfig: interface ipsec6000 does not exist' Apr 7 15:11:25 php-fpm 71117 /interfaces.php: The command '/usr/sbin/arp -d -i 'ipsec6000' -a > /dev/null 2>&1 ' returned exit code '1', the output was '
Perhaps this one:
Apr 7 15:25:32 php-fpm 89122 /rc.newipsecdns: The remote gateway XX.YY.ZZ.AA already exists on another phase 1 entry
Or
Apr 7 15:11:44 php-fpm 89122 /rc.newipsecdns: Gateway, none 'available' for inet6, use the first one configured. ''
I have two parallel tunnels running from a site with two WANs to the second one. I probably should have mentioned that at the start in case that makes a difference. Didn't think of mentioning it since the tunnel looks to have come up properly.
/var/etc/ipsec/filterdns-ipsec.hosts has duplicates in it
Apr 7 15:11:48 php-fpm 89122 /rc.newipsecdns: The command '/usr/local/sbin/filterdns -p /var/run/filterdns-ipsec.pid -i 60 -c /var/etc/ipsec/filterdns-ipsec.hosts -d 1' returned exit code '1', the output was '/var/etc/ipsec/filterdns-ipsec.hosts:6: filterdns: duplicate configuration entry found filterdns: cannot open the configuration file.'
-
That's probably why. The IPsec interface has to be built between the local and remote gateway addresses, and it can't build two tunnels to the same remote address.
-
Is that the same remote IP, or the same remote hostname? Would it help using a DNS CNAME, or do I need separate IPs?
-
I changed it to use a gateway group, as per https://forum.netgate.com/topic/52963/ipsec-multi-wan-failover now it works as expected.