Issue with VTI and IPSEC (1nd July Snapshot) IKEv2 & ESP

amountford

Howdy,

I tested the recent VTI patch on on snapshot from 1st of July.

High level configuration has tunnel endpoints
JUNOS box on 192.168.90.1/30 and the pfSense box on 192.168.90.2

TCPDUMP on pfsense (enc0) reports packets from Junos being received in good order.

Ping from the pfsense box toward juniper reports "SendTo: Network is Down"

PING 192.168.90.1 (192.168.90.1): 56 data bytes
ping: sendto: Network is down
ping: sendto: Network is down
ping: sendto: Network is down

IKEv2 (P1) is Up. ESP (P2) is up

[2.4.4-DEVELOPMENT][root@firewall.xx.org]/root: ipsec status
Security Associations (1 up, 0 connecting):
     con2000[4]: ESTABLISHED 5 hours ago, 203.xx.xx.254[cloud.xxx.org]...138.xx.xx.41[home.xxx.org]
     con2000{7}:  INSTALLED, TUNNEL, reqid 2000, ESP SPIs: ce25a891_i ba51bbdd_o
     con2000{7}:   192.168.90.0/30|/0 === 192.168.90.1/32|/0

Interface configuration appears to be consistent with that described in the patch notes and the code that generates it. It is noted that the interface lacks the internal "RUNNING" flag

[2.4.4-DEVELOPMENT][root@firewall.xxx.org]/root: ifconfig ipsec2000
ipsec2000: flags=8111<UP,POINTOPOINT,PROMISC,MULTICAST> metric 0 mtu 1400
        inet6 fe80::1c1c:e745:6b76:4db8%ipsec2000 prefixlen 64 tentative scopeid 0x8
        inet 192.168.90.2 --> 192.168.90.1 netmask 0xfffffffc
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        reqid: 2000
        groups: ipsec

Routing table appears to be correct

[2.4.4-DEVELOPMENT][root@firewall.xx.org]/root: netstat -rnW
Routing tables

Internet:
Destination        Gateway            Flags       Use    Mtu      Netif Expire
default            203.xx.xx.73      UGS       43480   1500        em2
127.0.0.1          link#5             UH      1162025  16384        lo0
192.168.90.1       link#8             UH        12753   1400  ipsec2000
192.168.90.2       link#8             UHS           2  16384        lo0
192.168.98.0/24    192.168.98.2       UGS           0   1500     ovpns1
192.168.98.1       link#9             UHS           0  16384        lo0
192.168.98.2       link#9             UH        16403   1500     ovpns1
192.168.99.0/24    link#2             U         27148   1500        em1
192.168.99.1       link#2             UHS       84102  16384        lo0
<snip....>

TCP Dump shows traffic from remote landing in good order.:

07:48:57.313859 (authentic,confidential): SPI 0xc92d0d56: IP 192.168.90.1.57271 > 192.168.90.2.179: Flags [S], seq 3717540734, win 16384, options [mss 9152,sackOK,eol], length 0
07:49:00.514212 (authentic,confidential): SPI 0xc92d0d56: IP 192.168.90.1.57271 > 192.168.90.2.179: Flags [S], seq 3717540734, win 16384, options [mss 9152,sackOK,eol], length 0
07:49:03.714669 (authentic,confidential): SPI 0xc92d0d56: IP 192.168.90.1.57271 > 192.168.90.2.179: Flags [S], seq 3717540734, win 16384, options [mss 9152,sackOK,eol], length 0

Any assistance would be greatly appreciated.

A

jimp

Seems very close. All of mine show RUNNING though. Make sure you have followed the proper procedure to not only create the tunnel but to assign it for use.

https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-routed.html