IPSec VTI: IPv4 Working/IPv6 NFW

  • WARNING Sorry guys, I'm crossposting this to Facebook and the pfSense forums.

    Ok, I am beyond frustrated here, looking to see if anyone has any better insight here.

    I am trying to configure IPSec between all my sites(8 of them), and use VTI along with FRR OSPF/OSPF6.

    I have built the P1, and P2s, and the connection comes up under Status > IPSec.

    The problem is once I assign the IPSec interface. In the interfaces on the dashboard the VTI shows only the IPv4 address. When I pull up the gateways page, the VTIV4 shows the far side IP, but the VTIV6 is blank. I have configured FRR OSPF and OSPF6, and IPv4 works perfectly, routes propagate and traffic flows, but no go on the IPv6. I've torn the config out, rebooted, and reuilt from scratch, same results. One thing I notice in the SA status is that the IPv4 portion shows yet the IPv6 line shows the actual IPs configured in the IPv6 VTI P2, however when I go to the SPD page, I see for IPv4 and ::/0 for IPv6. I'm not sure if this is a bug or if I've missed something.

    More info on the setup, one side of the tunnel is an SG-3100, while the other end is a pair of XG-7100 units in HA configuration(I am using the CARP VIP for the endpoint). All units are running 2.4.4-p2

    Anyone got any ideas on what I could be doing wrong?

  • @mmapplebeck

    Maybe that's the problem ?

    Currently IPv6 with IPsec is functional, but traffic cannot be mixed families in a tunnel. Meaning, IPv6 traffic can only be carried inside a tunnel which has IPv6 endpoints, and IPv4 traffic can only be carried over a tunnel using IPv4 endpoints. A single tunnel cannot carry both types of traffic.

  • It was a thought, however, I have 3 policy based tunnels with IPv4 endpoints carrying both IPv4 and IPv6 traffic with no issue. I have a feeling that is old information. I am going to try and build an IPv6 P1/VTI P2 and see if that changes things. 2 of my sites have native IPv6 connectivity, everywhere else transits through them over OpenVPN right now, but I've been hoping to switch to IPSec.

  • @mmapplebeck said in IPSec VTI: IPv4 Working/IPv6 NFW:
    The strongswan website has an example
    Test route-based/rw-shared-vti-ip6-in-ip4
    in theory should work
    (phase 1 - ipv4)
    vti - ipv6

  • I'm assuming this is a feature that just isn't supported by pfSense yet then. That would be a safe assumption where VTI was just introduced in 2.4.4 I'm going to test the native IPv6 P1 and see if that changes anything, if not, I'll look at some other manner of carrying and distributing my IPv6 routes. I may just end up using a GIF tunnel for my IPv6, and I should still be able to use OSPF6 on the GIF interface.

Log in to reply