Issue with VTI and IPSEC (1nd July Snapshot) IKEv2 & ESP
-
Howdy,
I tested the recent VTI patch on on snapshot from 1st of July.
High level configuration has tunnel endpoints
JUNOS box on 192.168.90.1/30 and the pfSense box on 192.168.90.2TCPDUMP on pfsense (enc0) reports packets from Junos being received in good order.
Ping from the pfsense box toward juniper reports "SendTo: Network is Down"
PING 192.168.90.1 (192.168.90.1): 56 data bytes ping: sendto: Network is down ping: sendto: Network is down ping: sendto: Network is down
IKEv2 (P1) is Up. ESP (P2) is up
[2.4.4-DEVELOPMENT][root@firewall.xx.org]/root: ipsec status Security Associations (1 up, 0 connecting): con2000[4]: ESTABLISHED 5 hours ago, 203.xx.xx.254[cloud.xxx.org]...138.xx.xx.41[home.xxx.org] con2000{7}: INSTALLED, TUNNEL, reqid 2000, ESP SPIs: ce25a891_i ba51bbdd_o con2000{7}: 192.168.90.0/30|/0 === 192.168.90.1/32|/0
Interface configuration appears to be consistent with that described in the patch notes and the code that generates it. It is noted that the interface lacks the internal "RUNNING" flag
[2.4.4-DEVELOPMENT][root@firewall.xxx.org]/root: ifconfig ipsec2000 ipsec2000: flags=8111<UP,POINTOPOINT,PROMISC,MULTICAST> metric 0 mtu 1400 inet6 fe80::1c1c:e745:6b76:4db8%ipsec2000 prefixlen 64 tentative scopeid 0x8 inet 192.168.90.2 --> 192.168.90.1 netmask 0xfffffffc nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> reqid: 2000 groups: ipsec
Routing table appears to be correct
[2.4.4-DEVELOPMENT][root@firewall.xx.org]/root: netstat -rnW Routing tables Internet: Destination Gateway Flags Use Mtu Netif Expire default 203.xx.xx.73 UGS 43480 1500 em2 127.0.0.1 link#5 UH 1162025 16384 lo0 192.168.90.1 link#8 UH 12753 1400 ipsec2000 192.168.90.2 link#8 UHS 2 16384 lo0 192.168.98.0/24 192.168.98.2 UGS 0 1500 ovpns1 192.168.98.1 link#9 UHS 0 16384 lo0 192.168.98.2 link#9 UH 16403 1500 ovpns1 192.168.99.0/24 link#2 U 27148 1500 em1 192.168.99.1 link#2 UHS 84102 16384 lo0 <snip....>
TCP Dump shows traffic from remote landing in good order.:
07:48:57.313859 (authentic,confidential): SPI 0xc92d0d56: IP 192.168.90.1.57271 > 192.168.90.2.179: Flags [S], seq 3717540734, win 16384, options [mss 9152,sackOK,eol], length 0 07:49:00.514212 (authentic,confidential): SPI 0xc92d0d56: IP 192.168.90.1.57271 > 192.168.90.2.179: Flags [S], seq 3717540734, win 16384, options [mss 9152,sackOK,eol], length 0 07:49:03.714669 (authentic,confidential): SPI 0xc92d0d56: IP 192.168.90.1.57271 > 192.168.90.2.179: Flags [S], seq 3717540734, win 16384, options [mss 9152,sackOK,eol], length 0
Any assistance would be greatly appreciated.
A
-
Seems very close. All of mine show
RUNNING
though. Make sure you have followed the proper procedure to not only create the tunnel but to assign it for use.https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-routed.html