IPSEC VTI Tunnels
-
I have not, I have had a really tough time with routing BGP over the VTI, and even static over VTI. Regular IPSEC seems to work fine. There is something broken with VTI, so be aware.
-
@mountainlion said in IPSEC VTI Tunnels:
I have not, I have had a really tough time with routing BGP over the VTI, and even static over VTI. Regular IPSEC seems to work fine. There is something broken with VTI, so be aware.
Routed IPSec (VTI) works great for me. Within the firewall rules, I can force certain hosts or entire interfaces to route all their traffic over the IPSec tunnel by forcing the gateway. But what I can't figure out is how to implement gateway monitoring for that 'gateway'. I need the ability for that traffic to failover to a secondary gateway, should the IPSec tunnel go down. Thanks in advance for anyone who can assist.
-
@AndrewBucklin Did you go to {system/ routing / Gateways ?
Then look for the field that says "Monitor Gateway"
Let me know if that works. -
@mountainlion No, it doesn’t work. No matter what IP I enter for the Monitor IP, the status will never change to “up”. I can only force it up by disabling gateway monitoring.
-
@AndrewBucklin
Assuming you have your ACL for that interface setup properly.... -
@mountainlion Do you mean Firewall Rules? The interface doesn't actually appear under Firewall Rules, but I do have an Allow rule for all traffic under the default "IPsec" firewall rule group:
-
@jimp Would you please elaborate a bit more on NAT doesn't work with VTI?
I've setup 2 VM's with latest pfSense for simplicity (trying to mimic our office setup between a Huawei 4G modem with CGNAT IP and a HQ pfSense firewall with public static ip). Here is what i found (not sure it is related to what you said about NAT & VTI?)
Pfsense1 had Responder only ticked, and remote Gateway in P1 set to 0.0.0.0 didn't work, it would error with
/rc.newipsecdns: The command '/sbin/ifconfig 'ipsec1000' create reqid '1000'' returned exit code '1', the output was 'ifconfig: create: bad value'
and it will have the symptoms of having Inbound Traffic in IPSec interface (with packet capture), nothing on the VTI interface.
if i change the remote Gateway in P1 (in pfSesnse1) to the WAN address of pfSesnse2, it will work.
Confusingly, reverting P1 remote gateway to 0.0.0.0 would still work and persist over ipsec service restart. it will only stop working if i delete P2 & P1 entry, (along with VTI interface) and recreate them again with P1's remote gateway set to 0.0.0.0 (or a reboot after setting to 0.0.0.0).
I got P1's remote gateway set as 0.0.0.0 to work with IPv4 Tunnel Mode, but am trying to achieve it with VTI since it's easier to manage with static routing rather than ACL's (on Huawei end) and avoid multiple P2 entries on pfSense. The reason behind HQ pfSense remote gateway set to 0.0.0.0 is that branch office with 4G modem is CGNATed as i said earlier
Any suggestion would be very much appreciated !
-
VTI and NAT not working means that you can't NAT to other addresses as traffic exits a VTI inside the tunnel -- it has nothing to do with establishing the tunnel as is your case. VTI won't be possible without a static remote peer, or at least dyndns. It needs to know the remote peer address. That's a topic for another thread, though.
-
@jimp when you say static remote peer or dyndns, you mean a public IP and hence a modem with CGNAT won't work? (given that Huawei modem supports ipsec on logical interfaces.)
-
Maybe an example of a running Cisco pfSense VTI tunnel connection with dynmaic routing helps:
Cisco-pfSense with VTI
Unfortunately in German but ist pretty self explaining.