trying to get vti mode working between two pfS units (2.4.4-RELEASE-p3)



  • I have two pfS units configured with a tunnel using VTI mode.

    Unit 1

    
    <ipsec>
    	<client></client>
    	<phase1>
    		<ikeid>1</ikeid>
    		<iketype>ikev2</iketype>
    		<interface>wan</interface>
    		<remote-gateway>edge.xxxxxxxxxxx.xxx</remote-gateway>
    		<protocol>inet</protocol>
    		<myid_type>myaddress</myid_type>
    		<myid_data></myid_data>
    		<peerid_type>peeraddress</peerid_type>
    		<peerid_data></peerid_data>
    		<encryption>
    			<item>
    				<encryption-algorithm>
    					<name>aes</name>
    					<keylen>128</keylen>
    				</encryption-algorithm>
    				<hash-algorithm>sha256</hash-algorithm>
    				<dhgroup>14</dhgroup>
    			</item>
    		</encryption>
    		<lifetime>28800</lifetime>
    		<pre-shared-key>123</pre-shared-key>
    		<private-key></private-key>
    		<certref></certref>
    		<caref></caref>
    		<authentication_method>pre_shared_key</authentication_method>
    		<descr></descr>
    		<nat_traversal>on</nat_traversal>
    		<mobike>off</mobike>
    		<margintime></margintime>
    		<dpd_delay>10</dpd_delay>
    		<dpd_maxfail>5</dpd_maxfail>
    	</phase1>
    	<phase2>
    		<ikeid>1</ikeid>
    		<uniqid>5de457ba59a13</uniqid>
    		<mode>vti</mode>
    		<reqid>1</reqid>
    		<localid>
    			<type>network</type>
    			<address>10.254.254.2</address>
    			<netbits>30</netbits>
    		</localid>
    		<remoteid>
    			<type>address</type>
    			<address>10.254.254.1</address>
    		</remoteid>
    		<protocol>esp</protocol>
    		<encryption-algorithm-option>
    			<name>aes</name>
    			<keylen>128</keylen>
    		</encryption-algorithm-option>
    		<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
    		<pfsgroup>14</pfsgroup>
    		<lifetime>3600</lifetime>
    		<pinghost></pinghost>
    		<descr></descr>
    	</phase2>
    </ipsec>
    
    

    Unit 2

    
    <ipsec>
    	<logging>
    		<dmn>1</dmn>
    		<mgr>1</mgr>
    		<ike>1</ike>
    		<chd>1</chd>
    		<job>1</job>
    		<cfg>1</cfg>
    		<knl>1</knl>
    		<net>1</net>
    		<asn>1</asn>
    		<enc>1</enc>
    		<imc>1</imc>
    		<imv>1</imv>
    		<pts>1</pts>
    		<tls>1</tls>
    		<esp>1</esp>
    		<lib>1</lib>
    	</logging>
    	<client></client>
    	<phase1>
    		<ikeid>1</ikeid>
    		<iketype>ikev2</iketype>
    		<interface>wan</interface>
    		<remote-gateway>117xxxxxxxxxxxxxxxxxxxxx</remote-gateway>
    		<protocol>inet</protocol>
    		<myid_type>myaddress</myid_type>
    		<myid_data></myid_data>
    		<peerid_type>peeraddress</peerid_type>
    		<peerid_data></peerid_data>
    		<encryption>
    			<item>
    				<encryption-algorithm>
    					<name>aes</name>
    					<keylen>128</keylen>
    				</encryption-algorithm>
    				<hash-algorithm>sha256</hash-algorithm>
    				<dhgroup>14</dhgroup>
    			</item>
    		</encryption>
    		<lifetime>28800</lifetime>
    		<pre-shared-key>123</pre-shared-key>
    		<private-key></private-key>
    		<certref></certref>
    		<caref></caref>
    		<authentication_method>pre_shared_key</authentication_method>
    		<descr></descr>
    		<nat_traversal>on</nat_traversal>
    		<mobike>off</mobike>
    		<margintime></margintime>
    		<dpd_delay>10</dpd_delay>
    		<dpd_maxfail>5</dpd_maxfail>
    	</phase1>
    	<phase2>
    		<ikeid>1</ikeid>
    		<uniqid>5de45728c26ca</uniqid>
    		<mode>vti</mode>
    		<reqid>1</reqid>
    		<localid>
    			<type>network</type>
    			<address>10.254.254.1</address>
    			<netbits>30</netbits>
    		</localid>
    		<remoteid>
    			<type>address</type>
    			<address>10.254.254.2</address>
    		</remoteid>
    		<protocol>esp</protocol>
    		<encryption-algorithm-option>
    			<name>aes</name>
    			<keylen>128</keylen>
    		</encryption-algorithm-option>
    		<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
    		<pfsgroup>14</pfsgroup>
    		<lifetime>3600</lifetime>
    		<pinghost></pinghost>
    		<descr></descr>
    	</phase2>
    </ipsec>
    
    

    I get the following on both units.
    alt text

    Also, I have the interfaces assigned on both units, but they don't show up on the Firewall Rules page.

    The gateways that are created automatically are not green either.

    If I configure a traditional tunnel (not vti) everything works as expected.



  • I also see

    querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
    


  • They don't show up in the firewalls section as interfaces.

    You just write rules inside the 'ipsec" section.

    SiteA to SiteB
    SiteA out from LAN to SiteB - write firewall rules under LAN
    SiteA in from SiteB to SiteA LAN - write firewall rules under IPSEC



  • I'm pretty sure in VTI mode, they are supposed to show up as interfaces. I have already assigned them and they do show up under Status->Interfaces.



  • @coreybrett
    PF uses an enc0 interface to filter all ipsec traffic. (classic ipsec tunnel, VTI).

    
    em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    	ether 08:00:27:7e:d9:81
    	hwaddr 08:00:27:7e:d9:81
    	inet6 fe80::a00:27ff:fe7e:d981%em1 prefixlen 64 scopeid 0x2
    	inet 10.3.100.1 netmask 0xffffff00 broadcast 10.3.100.255
    	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    	media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    enc0: flags=41<UP,RUNNING> metric 0 mtu 1536
    	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    	groups: enc
    

    Therefore, all filtering rules are created on the IPSEC tab ( including for VTI).


Log in to reply