Issue with VTI and IPSEC (1nd July Snapshot) IKEv2 & ESP



  • Howdy,

    I tested the recent VTI patch on on snapshot from 1st of July.

    High level configuration has tunnel endpoints
    JUNOS box on 192.168.90.1/30 and the pfSense box on 192.168.90.2

    TCPDUMP on pfsense (enc0) reports packets from Junos being received in good order.

    Ping from the pfsense box toward juniper reports "SendTo: Network is Down"

    PING 192.168.90.1 (192.168.90.1): 56 data bytes
    ping: sendto: Network is down
    ping: sendto: Network is down
    ping: sendto: Network is down
    

    IKEv2 (P1) is Up. ESP (P2) is up

    [2.4.4-DEVELOPMENT][root@firewall.xx.org]/root: ipsec status
    Security Associations (1 up, 0 connecting):
         con2000[4]: ESTABLISHED 5 hours ago, 203.xx.xx.254[cloud.xxx.org]...138.xx.xx.41[home.xxx.org]
         con2000{7}:  INSTALLED, TUNNEL, reqid 2000, ESP SPIs: ce25a891_i ba51bbdd_o
         con2000{7}:   192.168.90.0/30|/0 === 192.168.90.1/32|/0
    
    

    Interface configuration appears to be consistent with that described in the patch notes and the code that generates it. It is noted that the interface lacks the internal "RUNNING" flag

    [2.4.4-DEVELOPMENT][root@firewall.xxx.org]/root: ifconfig ipsec2000
    ipsec2000: flags=8111<UP,POINTOPOINT,PROMISC,MULTICAST> metric 0 mtu 1400
            inet6 fe80::1c1c:e745:6b76:4db8%ipsec2000 prefixlen 64 tentative scopeid 0x8
            inet 192.168.90.2 --> 192.168.90.1 netmask 0xfffffffc
            nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
            reqid: 2000
            groups: ipsec
    
    

    Routing table appears to be correct

    [2.4.4-DEVELOPMENT][root@firewall.xx.org]/root: netstat -rnW
    Routing tables
    
    Internet:
    Destination        Gateway            Flags       Use    Mtu      Netif Expire
    default            203.xx.xx.73      UGS       43480   1500        em2
    127.0.0.1          link#5             UH      1162025  16384        lo0
    192.168.90.1       link#8             UH        12753   1400  ipsec2000
    192.168.90.2       link#8             UHS           2  16384        lo0
    192.168.98.0/24    192.168.98.2       UGS           0   1500     ovpns1
    192.168.98.1       link#9             UHS           0  16384        lo0
    192.168.98.2       link#9             UH        16403   1500     ovpns1
    192.168.99.0/24    link#2             U         27148   1500        em1
    192.168.99.1       link#2             UHS       84102  16384        lo0
    <snip....>
    

    TCP Dump shows traffic from remote landing in good order.:

    07:48:57.313859 (authentic,confidential): SPI 0xc92d0d56: IP 192.168.90.1.57271 > 192.168.90.2.179: Flags [S], seq 3717540734, win 16384, options [mss 9152,sackOK,eol], length 0
    07:49:00.514212 (authentic,confidential): SPI 0xc92d0d56: IP 192.168.90.1.57271 > 192.168.90.2.179: Flags [S], seq 3717540734, win 16384, options [mss 9152,sackOK,eol], length 0
    07:49:03.714669 (authentic,confidential): SPI 0xc92d0d56: IP 192.168.90.1.57271 > 192.168.90.2.179: Flags [S], seq 3717540734, win 16384, options [mss 9152,sackOK,eol], length 0
    

    Any assistance would be greatly appreciated.

    A


  • Rebel Alliance Developer Netgate

    Seems very close. All of mine show RUNNING though. Make sure you have followed the proper procedure to not only create the tunnel but to assign it for use.

    https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-routed.html