Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VTI tunnels behaving strange

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 321 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ciphergeek
      last edited by

      I've got 4 VTI tunnels on a box running 2.4.5_1. I'll call that box 0
      ipsec1000 - goes to box 1
      ipsec8000 - goes to box 1
      ipsec6000 - goes to box 2
      ipsec7000 - goes to box 3

      From the box 0 I can ping both remote vti endpoints on box 1 but not box 2 or box 3.

      However I can ping the box 0 from the other side (which is also pfsense 2.4.5_1) with no problem in all cases.

      What's strange is that if I tcpdump -i enc0 on box 2 or box 3 and ping from box 0 with a source address that is correct for that vti I see the traffic come across that interface but not the ipsec interface associated with the VTI.

      I've torn down tunnels, rebooted everything, cleared state tables. Am I up against some limitation here?

      I see no log message of relevance but what started this off is the gateway status on box 0 shows the gateways associated with ipsec6000, ipsec7000 as down. When I go to the gateway status on the other side of the VTI it shows as up.

      ipsec1000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
      tunnel inet 7.7.7.7 --> 8.8.8.8
      inet6 fe80::ae1f:6bff:fe7c:f530%ipsec1000 prefixlen 64 scopeid 0x12
      inet 10.248.1.2 --> 10.248.1.1 netmask 0xfffffffc
      nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
      reqid: 1000
      groups: ipsec
      ipsec8000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
      tunnel inet 4.4.4.4--> 4.4.4.5
      inet6 fe80::ae1f:6bff:fe7c:f530%ipsec8000 prefixlen 64 scopeid 0x15
      inet 10.248.0.2 --> 10.248.0.1 netmask 0xfffffffc
      nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
      reqid: 8000
      groups: ipsec
      ipsec7000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
      tunnel inet 1.2.3.4 --> 5.6.7.8
      inet6 fe80::ae1f:6bff:fe7c:f530%ipsec7000 prefixlen 64 scopeid 0x16
      inet 10.248.3.2 --> 10.248.3.1 netmask 0xfffffffc
      nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
      reqid: 7000
      groups: ipsec
      ipsec6000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
      tunnel inet 1.2.3.4 --> 5.6.7.8
      inet6 fe80::ae1f:6bff:fe7c:f530%ipsec6000 prefixlen 64 scopeid 0x17
      inet 10.248.2.2 --> 10.248.2.1 netmask 0xfffffffc
      nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
      reqid: 6000
      groups: ipsec

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.