Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    after a reboot I no longer have the road to ipsec VTI

    IPsec
    2
    5
    299
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fredlubrano last edited by

      HI,

      after a reboot I no longer have the road to ipsec VTI, as a workaround I have to revalidate the gateway System -> Routing -> Gateways -> Edit VTI Gateway -> Save -> Apply .

      netstat -rn | egrep '(ipsec2|10.8.222)'
10.8.222.1         link#12            UH     ipsec200
10.8.222.2         link#12            UHS         lo0
fe80::%ipsec2000/64               link#12                       U      ipsec200
fe80::20c:29ff:fe2c:fe96%ipsec2000 link#12                      UHS         lo0
      • Apply workaround
      netstat -rn | egrep '(ipsec2|10.8.222)'
10.8.222.1         link#12            UH     ipsec200
10.8.222.2         link#12            UHS         lo0
10.60.0.0/16       10.8.222.1         UGS    ipsec200
fe80::%ipsec2000/64               link#12                       U      ipsec200
fe80::20c:29ff:fe2c:fe96%ipsec2000 link#12                      UHS         lo0

      My config HOST1 :

      <phase2>
			<ikeid>2</ikeid>
			<uniqid>5ba8fe2dee739</uniqid>
			<mode>vti</mode>
			<reqid>1</reqid>
			<localid>
				<type>network</type>
				<address>10.8.222.2</address>
				<netbits>30</netbits>
			</localid>
			<remoteid>
				<type>address</type>
				<address>10.8.222.1</address>
			</remoteid>
			<protocol>esp</protocol>
			<encryption-algorithm-option>
				<name>aes128gcm</name>
				<keylen>128</keylen>
			</encryption-algorithm-option>
			<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
			<pfsgroup>14</pfsgroup>
			<lifetime>7200</lifetime>
			<pinghost></pinghost>
			<descr></descr>
		</phase2>
		
			<opt5>
			<descr><![CDATA[IPsecVTI]]></descr>
			<if>ipsec2000</if>
			<enable></enable>
			<spoofmac></spoofmac>
		</opt5>
		
			<staticroutes>
		<route>
			<network>10.60.0.0/16</network>
			<gateway>IPSECVTI_VTIV4</gateway>
			<descr><![CDATA[Route VTI]]></descr>
		</route>
		
		<gateway_item>
			<interface>opt5</interface>
			<gateway>dynamic</gateway>
			<name>IPSECVTI_VTIV4</name>
			<weight>1</weight>
			<ipprotocol>inet</ipprotocol>
			<interval>10000</interval>
			<alert_interval>11000</alert_interval>
			<descr><![CDATA[Interface IPSECVTI_VTIV4 Gateway]]></descr>
		
	conn con2000
	reqid = 2000
	fragmentation = yes
	keyexchange = ikev2
	reauth = yes
	forceencaps = yes
	mobike = no

	rekey = yes
	installpolicy = no

	dpdaction = restart
	dpddelay = 10s
	dpdtimeout = 110s
	auto = start
	left = 172.31.255.12
	right = 212.xxx.xxx.xxx
	leftid = t9KxdF87
	ikelifetime = 28800s
	lifetime = 7200s
	ike = aes128gcm128-sha256-modp2048!
	esp = aes128gcm128-sha256-modp2048!
	leftauth = psk
	rightauth = psk
	rightid = H87gcP9n
	rightsubnet = 10.8.222.1
	leftsubnet = 10.8.222.2/30
		
		
		Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.2-RELEASE-p3, amd64):
  uptime: 76 minutes, since Sep 26 14:28:44 2018
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters
Listening IP addresses:
  172.31...
  ....
  10.8.222.2
Connections:
     con2000:  172.31.255.12...212.xxx.xxx.xxx  IKEv2, dpddelay=10s
     con2000:   local:  [t9KxdF87] uses pre-shared key authentication
     con2000:   remote: [H87gcP9n] uses pre-shared key authentication
     con2000:   child:  10.8.222.0/30|/0 === 10.8.222.1/32|/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
     con2000[1]: ESTABLISHED 76 minutes ago, 172.31.255.12[t9KxdF87]...212.129.54.15[H87gcP9n]
     con2000[1]: IKEv2 SPIs: e31d60fa6eb764fa_i* 01e6388a49940b8b_r, pre-shared key reauthentication in 6 hours
     con2000[1]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
     con2000{1}:  INSTALLED, TUNNEL, reqid 2000, ESP in UDP SPIs: c694082c_i cd9fea01_o
     con2000{1}:  AES_GCM_16_128, 5754109 bytes_i, 2030276 bytes_o, rekeying in 30 minutes
     con2000{1}:   10.8.222.2/32|/0 === 10.8.222.1/32|/0

      My config HOST2 :

      <phase2>
			<ikeid>3</ikeid>
			<uniqid>5ba8fc6c97355</uniqid>
			<mode>vti</mode>
			<reqid>5</reqid>
			<localid>
				<type>network</type>
				<address>10.8.222.1</address>
				<netbits>30</netbits>
			</localid>
			<remoteid>
				<type>address</type>
				<address>10.8.222.2</address>
			</remoteid>
			<protocol>esp</protocol>
			<encryption-algorithm-option>
				<name>aes128gcm</name>
				<keylen>128</keylen>
			</encryption-algorithm-option>
			<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
			<pfsgroup>14</pfsgroup>
			<lifetime>7200</lifetime>
			<pinghost></pinghost>
			<descr></descr>
		</phase2>
		
	conn con3000
	reqid = 3000
	fragmentation = yes
	keyexchange = ikev2
	reauth = yes
	forceencaps = yes
	mobike = no

	rekey = yes
	installpolicy = no

	dpdaction = restart
	dpddelay = 10s
	dpdtimeout = 110s
	auto = start
	left = 212.xxx.xxx.xxx
	right = 90.xxx.xxx.xxx
	leftid = H87gcP9n
	ikelifetime = 28800s
	lifetime = 7200s
	ike = aes128gcm128-sha256-modp2048!
	esp = aes128gcm128-sha256-modp2048!
	leftauth = psk
	rightauth = psk
	rightid = t9KxdF87
	rightsubnet = 10.8.222.2
	leftsubnet = 10.8.222.1/30



Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.2-RELEASE-p3, amd64):
  uptime: 6 hours, since Sep 26 09:24:15 2018
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 130
  loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity counters
Listening IP addresses:
  172....
  ....
  10.8.222.1
Connections:
     con3000:  212.xxx.xxx.xxx...90.xxx.xxx.xxx  IKEv2, dpddelay=10s
     con3000:   local:  [H87gcP9n] uses pre-shared key authentication
     con3000:   remote: [t9KxdF87] uses pre-shared key authentication
     con3000:   child:  10.8.222.0/30|/0 === 10.8.222.2/32|/0 TUNNEL, dpdaction=restart
Security Associations (4 up, 0 connecting):
     con3000[51]: ESTABLISHED 74 minutes ago, 212.129.54.15[H87gcP9n]...90.65.71.187[t9KxdF87]
     con3000[51]: IKEv2 SPIs: e31d60fa6eb764fa_i 01e6388a49940b8b_r*, pre-shared key reauthentication in 6 hours
     con3000[51]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
     con3000{53}:  INSTALLED, TUNNEL, reqid 3000, ESP in UDP SPIs: cd9fea01_i c694082c_o
     con3000{53}:  AES_GCM_16_128, 1163251 bytes_i, 7292564 bytes_o, rekeying in 27 minutes
     con3000{53}:   10.8.222.1/32|/0 === 10.8.222.2/32|/0

      The logs :

      Sep 26 16:17:41 jr charon: 11[NET] <con2000|1> received packet: from 212.129.54.15[4500] to 172.31.255.12[4500] (57 bytes)
Sep 26 16:17:41 jr charon: 11[ENC] <con2000|1> parsed INFORMATIONAL request 7 [ ]
Sep 26 16:17:41 jr charon: 11[ENC] <con2000|1> generating INFORMATIONAL response 7 [ ]
Sep 26 16:17:41 jr charon: 11[NET] <con2000|1> sending packet: from 172.31.255.12[4500] to 212.129.54.15[4500] (57 bytes)
Sep 26 16:17:41 jr charon: 04[NET] sending packet: from 172.31.255.12[4500] to 212.129.54.15[4500]
Sep 26 16:17:41 jr charon: 11[KNL] <con2000|1> querying policy 10.8.222.1/32|/0 === 10.8.222.2/32|/0 in failed, not found
Sep 26 16:17:51 jr charon: 11[KNL] <con2000|1> querying policy 10.8.222.1/32|/0 === 10.8.222.2/32|/0 in failed, not found
Sep 26 16:17:51 jr charon: 11[IKE] <con2000|1> sending DPD request

      Thanks for the helps

      fred

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        Where do you have the route set for 10.60.0.0/16? Is it a static route, handled by a routing protocol (OSPF or BGP) or what?

        F 1 Reply Last reply Reply Quote 0
        • F
          fredlubrano @jimp last edited by

          @jimp said in after a reboot I no longer have the road to ipsec VTI:

          Where do you have the route set for 10.60.0.0/16

          Hi Jimp,

          Yes add static route

          	<staticroutes>
		<route>
			<network>10.60.0.0/16</network>
			<gateway>IPSECVTI_VTIV4</gateway>
			<descr><![CDATA[Route VTI]]></descr>
		</route>
		
		<gateway_item>
			<interface>opt5</interface>
			<gateway>dynamic</gateway>
			<name>IPSECVTI_VTIV4</name>
			<weight>1</weight>
			<ipprotocol>inet</ipprotocol>
			<interval>10000</interval>
			<alert_interval>11000</alert_interval>
			<descr><![CDATA[Interface IPSECVTI_VTIV4 Gateway]]></descr>
          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Hmm, I just checked the setups I have here with VTI and static routes and they all apply at boot time.

            Did you make manual changes to the VTI gateway? Try removing the VTI gateway settings (click the trash can) -- that will not actually delete the gateway since it is dynamic, only its custom settings. Then reboot and see if it works.

            1 Reply Last reply Reply Quote 1
            • F
              fredlubrano last edited by

              Jimp,

              Yes problem is resolv, after deleted route static, removing the VTI gateway and reboot.

              Thanks for the helps

              fred

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy