IPSec VTI to EdgeRouter



  • Hey there!

    I'm trying to set up an IPSec VTI To EdgeRouter and I'm having some trouble.

    I've read through:
    https://forum.netgate.com/topic/132970/ipsec-vti-tunnels
    https://www.reddit.com/r/PFSENSE/comments/9gqy27/pfsense_244_rc_ipsecvti_tunnel_to_edgerouter_lite/
    https://community.ubnt.com/t5/EdgeRouter/No-traffic-between-VTI-based-IPsec-pfSense-amp-EdgeRouter-4/m-p/2550383

    And have installed the latest update to ensure the 0.0.0.0/0 route gets passed, but it seems the traffic from the VTI tunnel is not coming in on the ipsec6000 interface, but instead on the enc0 interface.

    I have two VPNs to two different AWS VPCs using BGP and I'm trying to set up the router to use VTI to the pfSense. The following quick diagram is the network:

    0_1541698241708_c50dcb0b-69dd-4131-8945-08bfbe4ee19a-image.png

    The tunnel has come up just fine on both sides and I can see traffic coming from the EdgeRouter, but I cannot get traffic to return from the pfSense. The pfSense when pinging the router states "sendto: Network is down".

    0_1541698347598_788be972-797c-4388-9c74-4817830cff1b-image.png

    Packet Cap on enc0 while pinging from router - the filter is for the firewall address, the packets are router > firewall:
    0_1541699098845_db66ff4d-fdbb-4e29-8448-ae202eea001f-image.png

    Here's the config on pfSense:

    Phase 1 - 0.0.0.0 as our endpoints are dynamic addressing:
    0_1541698414484_983c3b4b-d164-4b4e-aef4-a238f03f1baa-image.png
    0_1541698440010_8773f608-2291-444d-9420-414956e306e5-image.png

    Phase 2:
    0_1541698645897_d529dcf0-22cf-4299-a3f7-6198da5fb7aa-image.png
    0_1541698694785_84b6f303-03a3-4f72-a436-c06f98a1c9fe-image.png

    Interface:
    0_1541698475740_1ef9c0b5-45c0-484e-95dc-53e3f5f85903-image.png

    Route exists (.1 is firewall, .2 is router)
    0_1541698750765_171d90fc-e290-4db3-9fa0-a189c4303577-image.png

    IPSec Status:
    0_1541698810843_eeb07c80-645c-4ff6-8509-2f36177b5c35-image.png

    EdgeRouter Config (this editor is removing the tabs from config FYI so I had to use a snip):
    0_1541699394534_3ed2deb8-05b2-438b-8f87-3f5800bd45b3-image.png

    0_1541699440814_ce466e7f-3dec-410f-86a9-a9a72c32a934-image.png

    EdgeRouter SA:
    router:~$ show vpn ipsec sa
    peer-x.x.x.x-tunnel-vti: #1, ESTABLISHED, IKEv2, c895d3a75e6e4420:90d85a4da8e97efa
    local 'x' @ x.x.x.x
    remote 'x' @ x.x.x.x
    AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    established 366s ago, rekeying in 85359s, reauth in 84810s
    peer-x.x.x.x-tunnel-vti: #1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_MD5_96
    installed 366 ago, rekeying in 41775s, expires in 42834s
    in c4efe5c3, 0 bytes, 0 packets
    out c475dda7, 33456 bytes, 400 packets, 0s ago
    local 0.0.0.0/0
    remote 0.0.0.0/0

    Any help would be appreciated! I have a little over 200 sites to deploy. :)



    • correction:

    And have installed the latest update to ensure the 0.0.0.0/0 route gets passed, but it seems the traffic from the VTI tunnel is not coming in on the ipsec6000 interface, but is on the enc0 interface.

    The documentation states the OS should see traffic on both interfaces.



  • Upon further investigation I've noticed the following:

    0_1541778315703_30b8630c-5c3e-4452-a284-e5028ed51851-image.png

    The interface is not showing a 'running' status, which explains my problem. Now to find out how to resolve it.



  • To answer my own question now:

    VTI tunnels cannot be set up with 0.0.0.0 as the remote peer, you must use an IP address or domain name.