Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    trying to get vti mode working between two pfS units (2.4.4-RELEASE-p3)

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 542 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett
      last edited by

      I have two pfS units configured with a tunnel using VTI mode.

      Unit 1

      
      <ipsec>
      	<client></client>
      	<phase1>
      		<ikeid>1</ikeid>
      		<iketype>ikev2</iketype>
      		<interface>wan</interface>
      		<remote-gateway>edge.xxxxxxxxxxx.xxx</remote-gateway>
      		<protocol>inet</protocol>
      		<myid_type>myaddress</myid_type>
      		<myid_data></myid_data>
      		<peerid_type>peeraddress</peerid_type>
      		<peerid_data></peerid_data>
      		<encryption>
      			<item>
      				<encryption-algorithm>
      					<name>aes</name>
      					<keylen>128</keylen>
      				</encryption-algorithm>
      				<hash-algorithm>sha256</hash-algorithm>
      				<dhgroup>14</dhgroup>
      			</item>
      		</encryption>
      		<lifetime>28800</lifetime>
      		<pre-shared-key>123</pre-shared-key>
      		<private-key></private-key>
      		<certref></certref>
      		<caref></caref>
      		<authentication_method>pre_shared_key</authentication_method>
      		<descr></descr>
      		<nat_traversal>on</nat_traversal>
      		<mobike>off</mobike>
      		<margintime></margintime>
      		<dpd_delay>10</dpd_delay>
      		<dpd_maxfail>5</dpd_maxfail>
      	</phase1>
      	<phase2>
      		<ikeid>1</ikeid>
      		<uniqid>5de457ba59a13</uniqid>
      		<mode>vti</mode>
      		<reqid>1</reqid>
      		<localid>
      			<type>network</type>
      			<address>10.254.254.2</address>
      			<netbits>30</netbits>
      		</localid>
      		<remoteid>
      			<type>address</type>
      			<address>10.254.254.1</address>
      		</remoteid>
      		<protocol>esp</protocol>
      		<encryption-algorithm-option>
      			<name>aes</name>
      			<keylen>128</keylen>
      		</encryption-algorithm-option>
      		<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
      		<pfsgroup>14</pfsgroup>
      		<lifetime>3600</lifetime>
      		<pinghost></pinghost>
      		<descr></descr>
      	</phase2>
      </ipsec>
      
      

      Unit 2

      
      <ipsec>
      	<logging>
      		<dmn>1</dmn>
      		<mgr>1</mgr>
      		<ike>1</ike>
      		<chd>1</chd>
      		<job>1</job>
      		<cfg>1</cfg>
      		<knl>1</knl>
      		<net>1</net>
      		<asn>1</asn>
      		<enc>1</enc>
      		<imc>1</imc>
      		<imv>1</imv>
      		<pts>1</pts>
      		<tls>1</tls>
      		<esp>1</esp>
      		<lib>1</lib>
      	</logging>
      	<client></client>
      	<phase1>
      		<ikeid>1</ikeid>
      		<iketype>ikev2</iketype>
      		<interface>wan</interface>
      		<remote-gateway>117xxxxxxxxxxxxxxxxxxxxx</remote-gateway>
      		<protocol>inet</protocol>
      		<myid_type>myaddress</myid_type>
      		<myid_data></myid_data>
      		<peerid_type>peeraddress</peerid_type>
      		<peerid_data></peerid_data>
      		<encryption>
      			<item>
      				<encryption-algorithm>
      					<name>aes</name>
      					<keylen>128</keylen>
      				</encryption-algorithm>
      				<hash-algorithm>sha256</hash-algorithm>
      				<dhgroup>14</dhgroup>
      			</item>
      		</encryption>
      		<lifetime>28800</lifetime>
      		<pre-shared-key>123</pre-shared-key>
      		<private-key></private-key>
      		<certref></certref>
      		<caref></caref>
      		<authentication_method>pre_shared_key</authentication_method>
      		<descr></descr>
      		<nat_traversal>on</nat_traversal>
      		<mobike>off</mobike>
      		<margintime></margintime>
      		<dpd_delay>10</dpd_delay>
      		<dpd_maxfail>5</dpd_maxfail>
      	</phase1>
      	<phase2>
      		<ikeid>1</ikeid>
      		<uniqid>5de45728c26ca</uniqid>
      		<mode>vti</mode>
      		<reqid>1</reqid>
      		<localid>
      			<type>network</type>
      			<address>10.254.254.1</address>
      			<netbits>30</netbits>
      		</localid>
      		<remoteid>
      			<type>address</type>
      			<address>10.254.254.2</address>
      		</remoteid>
      		<protocol>esp</protocol>
      		<encryption-algorithm-option>
      			<name>aes</name>
      			<keylen>128</keylen>
      		</encryption-algorithm-option>
      		<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
      		<pfsgroup>14</pfsgroup>
      		<lifetime>3600</lifetime>
      		<pinghost></pinghost>
      		<descr></descr>
      	</phase2>
      </ipsec>
      
      

      I get the following on both units.
      alt text

      Also, I have the interfaces assigned on both units, but they don't show up on the Firewall Rules page.

      The gateways that are created automatically are not green either.

      If I configure a traditional tunnel (not vti) everything works as expected.

      1 Reply Last reply Reply Quote 0
      • C
        coreybrett
        last edited by

        I also see

        querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
        
        1 Reply Last reply Reply Quote 0
        • nzkiwi68N
          nzkiwi68
          last edited by

          They don't show up in the firewalls section as interfaces.

          You just write rules inside the 'ipsec" section.

          SiteA to SiteB
          SiteA out from LAN to SiteB - write firewall rules under LAN
          SiteA in from SiteB to SiteA LAN - write firewall rules under IPSEC

          1 Reply Last reply Reply Quote 0
          • C
            coreybrett
            last edited by

            I'm pretty sure in VTI mode, they are supposed to show up as interfaces. I have already assigned them and they do show up under Status->Interfaces.

            K 1 Reply Last reply Reply Quote 0
            • K
              Konstanti @coreybrett
              last edited by Konstanti

              @coreybrett
              PF uses an enc0 interface to filter all ipsec traffic. (classic ipsec tunnel, VTI).

              
              em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
              	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
              	ether 08:00:27:7e:d9:81
              	hwaddr 08:00:27:7e:d9:81
              	inet6 fe80::a00:27ff:fe7e:d981%em1 prefixlen 64 scopeid 0x2
              	inet 10.3.100.1 netmask 0xffffff00 broadcast 10.3.100.255
              	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
              	media: Ethernet autoselect (1000baseT <full-duplex>)
              	status: active
              enc0: flags=41<UP,RUNNING> metric 0 mtu 1536
              	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
              	groups: enc
              

              Therefore, all filtering rules are created on the IPSEC tab ( including for VTI).

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.