• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Routed IPsec using if_ipsec VTI interfaces

Scheduled Pinned Locked Moved 2.4 Development Snapshots
45 Posts 2 Posters 12.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • O
    obrienmd
    last edited by Jun 8, 2018, 2:51 PM

    Non-HA side:

    conn con2
            fragmentation = yes
            keyexchange = ikev2
            reauth = yes
            forceencaps = no
            mobike = no
    
            rekey = yes
            installpolicy = no
    
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = start
            left = {non_ha_side_wan_ip}
            right = {ha_side_wan_ip}
            leftid = {non_ha_side_wan_ip}
            ikelifetime = 28800s
            lifetime = 3600s
            ike = aes256-sha1-modp1024!
            esp = aes256gcm128-sha256-modp2048,aes256gcm96-sha256-modp2048,aes256gcm64-sha256-modp2048!
            leftauth = psk
            rightauth = psk
            rightid = {ha_side_wan_ip}
            rightsubnet = 10.90.91.1
            leftsubnet = 10.90.91.2/30
    
    

    HA side:

    conn con1
            fragmentation = yes
            keyexchange = ikev2
            reauth = yes
            forceencaps = no
            mobike = no
    
            rekey = yes
            installpolicy = no
    
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = start
            left = {ha_side_wan_ip}
            right = {non_ha_side_wan_ip}
            leftid = {ha_side_wan_ip}
            ikelifetime = 28800s
            lifetime = 3600s
            ike = aes256-sha1-modp1024!
            esp = aes256gcm128-sha256-modp2048,aes256gcm96-sha256-modp2048,aes256gcm64-sha256-modp2048!
            leftauth = psk
            rightauth = psk
            rightid = {non_ha_side_wan_ip}
            rightsubnet = 10.90.91.2
            leftsubnet = 10.90.91.1/30
    
    
    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by jimp Jun 8, 2018, 2:54 PM Jun 8, 2018, 2:54 PM

      Those don't look quite right, there is no reqid in those blocks like there should be. Are the ipsecX interfaces actually present?

      Might be due to the tunnel being IKEv2, I think all three of my test systems here have been IKEv1. I'll try to spin up a v2 set.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • O
        obrienmd
        last edited by Jun 8, 2018, 3:18 PM

        Yup, ipsec1000/2000 (depending on box) ints are there, and show proper /30s.

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Jun 8, 2018, 3:21 PM

          I did see one problem come up that I just pushed a fix for, but I didn't see that specific error you had unless I had an IKEv1/IKEv2 mismatch between the peers.

          The fix I made only touches two lines, you can easily apply it manually to test: https://github.com/pfsense/pfsense/commit/d4b43c48ed1636d3fcd6e47d73ba721bd63d883a

          With that I just switched both sides from IKEv1 to IKEv2 and it came right back up.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • O
            obrienmd
            last edited by Jun 8, 2018, 3:53 PM

            Yep, nailed it. Looking good with that change.

            Because of your warning on frr, I'm testing with static routing right now. After everything was fixed and I disabled / re-enabled the interfaces to get traffic flowing, static routes were showing in the route table but set to hn1 rather than the ipsec interface. Editing and re-saving the static route resolved the issue.

            With dynamic routing I bet I won't see that in the future, but if there's some resiliency code somewhere to reset interfaces on static routes when gateways disappear/appear, go up/down, go pending, etc... Perhaps something needs to get tweaked there.

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Jun 8, 2018, 3:55 PM

              I need to work a bit on static routes yet. I had it solved and working on reboot but somewhere in my changes this week that appears to have broken again as I am not seeing my routes in the table after it boots up. I need to investigate more and open another issue up for that.

              FRR should be better next week, see my updates on https://redmine.pfsense.org/issues/8449#note-2

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • O
                obrienmd
                last edited by Jun 8, 2018, 4:37 PM

                Great, thanks Jim.

                1 Reply Last reply Reply Quote 0
                • O
                  obrienmd
                  last edited by Jun 8, 2018, 8:04 PM

                  Is there a simple way to map a devel release, e.g. 2.4.4.a.20180608.1025 for Factory or 2.4.4.a.20180608.0718 for CE, against a git commit? I don't want to assume it will be build using all commits immediately prior to that (and I don't know which time zones these are based on).

                  J 1 Reply Last reply Jun 8, 2018, 8:08 PM Reply Quote 0
                  • J
                    jimp Rebel Alliance Developer Netgate @obrienmd
                    last edited by Jun 8, 2018, 8:08 PM

                    @obrienmd said in Routed IPsec using if_ipsec VTI interfaces:

                    Is there a simple way to map a devel release, e.g. 2.4.4.a.20180608.1025 for Factory or 2.4.4.a.20180608.0718 for CE, against a git commit? I don't want to assume it will be build using all commits immediately prior to that (and I don't know which time zones these are based on).

                    Not without loading it up and seeing what's in /etc/version.lastcommit. Servers are using CDT.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Jun 8, 2018, 8:10 PM

                      Static routes should be OK now. I'm not quite sure how it worked before, given the changes I had to make, but it's working now.

                      https://github.com/pfsense/pfsense/commit/0aa52fb21a21f58035f2e2fe3b9328a9c175ffb5

                      I think that might be most if not all of the functional issues. There are still some anti-foot-shooting measures I need to take like preventing removing an IPsec tunnel or P2 used as a VTI interface.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • O
                        obrienmd
                        last edited by Jun 10, 2018, 5:14 PM

                        On latest devel for factory and CE, everything functionally is looking great. Had to restart *pinger (I forget which one is used these days) for gateways to get out of pending after initial interface bring-up, but packets are all flowing, no weird state issues, very solid :)

                        J 1 Reply Last reply Jun 11, 2018, 1:00 PM Reply Quote 0
                        • J
                          jimp Rebel Alliance Developer Netgate @obrienmd
                          last edited by Jun 11, 2018, 1:00 PM

                          @obrienmd said in Routed IPsec using if_ipsec VTI interfaces:

                          On latest devel for factory and CE, everything functionally is looking great. Had to restart *pinger (I forget which one is used these days) for gateways to get out of pending after initial interface bring-up, but packets are all flowing, no weird state issues, very solid :)

                          Great! I'll have to check back on the gateways, one of mine is OK and it comes right up, I had disabled gateway monitoring on the other pair because it was interfering with the packet captures I was taking when diagnosing some of the other traffic issues above.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          43 out of 45
                          • First post
                            43/45
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received