Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dual WAN IPSec with VTI flapping after creating interface? - PFSense Azure to Cisco Service Provider. Help appreciated!

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 392 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      msitec jesse
      last edited by

      We are trying to create dual wan ipsec tunnels from our azure pfsense VM to a cisco service provider. For this, the provider (if connecting to azure) requires a VTI phase2 to be able to communicate BGP routes for reasons out of our control.

      We have gotten to the point where we get both IPSEC tunnels Phase 1 to run and is stable.

      Then when we then try to attach the interfaces for IPSEC/VTI (->Interface->Assignments) it creates ipsec1000 and ipsec2000. Once that occurs the IPSEC/VTI tunnel begins flapping on/off roughly every 60 seconds.

      What's also interesting is that after we create the IPSEC/VTI tunnel interface, it doesn't create a firewall interface for the OPT1 OPT2 interfaces. It only shows WAN1, WAN2, IPSEC under the Firewall/Rules settings.

      When our neighbor shuts off Phase2 on their end, our IPSec tunnels stay active and do not bounce.

      We are seeing a couple error logs that seem to stand out.

      querying policy 192.168.255.253/32|/0 === 192.168.255.252/30|/0 in failed, not found
      querying policy 192.168.255.252/30|/0 === 192.168.255.253/32|/0 out failed, not found

      also seeing the error: /rc.newipsecdns: The command '/sbin/ifconfig 'ipsec1000' create reqid '1000'' returned exit code '1', the output was 'ifconfig: create: bad value'

      Any help is appreciated!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.