4. trying to get vti mode working between two pfS units (2.4.4-RELEASE-p3)

trying to get vti mode working between two pfS units (2.4.4-RELEASE-p3)

  • C

    I have two pfS units configured with a tunnel using VTI mode.

    Unit 1

    
<ipsec>
	<client></client>
	<phase1>
		<ikeid>1</ikeid>
		<iketype>ikev2</iketype>
		<interface>wan</interface>
		<remote-gateway>edge.xxxxxxxxxxx.xxx</remote-gateway>
		<protocol>inet</protocol>
		<myid_type>myaddress</myid_type>
		<myid_data></myid_data>
		<peerid_type>peeraddress</peerid_type>
		<peerid_data></peerid_data>
		<encryption>
			<item>
				<encryption-algorithm>
					<name>aes</name>
					<keylen>128</keylen>
				</encryption-algorithm>
				<hash-algorithm>sha256</hash-algorithm>
				<dhgroup>14</dhgroup>
			</item>
		</encryption>
		<lifetime>28800</lifetime>
		<pre-shared-key>123</pre-shared-key>
		<private-key></private-key>
		<certref></certref>
		<caref></caref>
		<authentication_method>pre_shared_key</authentication_method>
		<descr></descr>
		<nat_traversal>on</nat_traversal>
		<mobike>off</mobike>
		<margintime></margintime>
		<dpd_delay>10</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail>
	</phase1>
	<phase2>
		<ikeid>1</ikeid>
		<uniqid>5de457ba59a13</uniqid>
		<mode>vti</mode>
		<reqid>1</reqid>
		<localid>
			<type>network</type>
			<address>10.254.254.2</address>
			<netbits>30</netbits>
		</localid>
		<remoteid>
			<type>address</type>
			<address>10.254.254.1</address>
		</remoteid>
		<protocol>esp</protocol>
		<encryption-algorithm-option>
			<name>aes</name>
			<keylen>128</keylen>
		</encryption-algorithm-option>
		<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
		<pfsgroup>14</pfsgroup>
		<lifetime>3600</lifetime>
		<pinghost></pinghost>
		<descr></descr>
	</phase2>
</ipsec>

    Unit 2

    
<ipsec>
	<logging>
		<dmn>1</dmn>
		<mgr>1</mgr>
		<ike>1</ike>
		<chd>1</chd>
		<job>1</job>
		<cfg>1</cfg>
		<knl>1</knl>
		<net>1</net>
		<asn>1</asn>
		<enc>1</enc>
		<imc>1</imc>
		<imv>1</imv>
		<pts>1</pts>
		<tls>1</tls>
		<esp>1</esp>
		<lib>1</lib>
	</logging>
	<client></client>
	<phase1>
		<ikeid>1</ikeid>
		<iketype>ikev2</iketype>
		<interface>wan</interface>
		<remote-gateway>117xxxxxxxxxxxxxxxxxxxxx</remote-gateway>
		<protocol>inet</protocol>
		<myid_type>myaddress</myid_type>
		<myid_data></myid_data>
		<peerid_type>peeraddress</peerid_type>
		<peerid_data></peerid_data>
		<encryption>
			<item>
				<encryption-algorithm>
					<name>aes</name>
					<keylen>128</keylen>
				</encryption-algorithm>
				<hash-algorithm>sha256</hash-algorithm>
				<dhgroup>14</dhgroup>
			</item>
		</encryption>
		<lifetime>28800</lifetime>
		<pre-shared-key>123</pre-shared-key>
		<private-key></private-key>
		<certref></certref>
		<caref></caref>
		<authentication_method>pre_shared_key</authentication_method>
		<descr></descr>
		<nat_traversal>on</nat_traversal>
		<mobike>off</mobike>
		<margintime></margintime>
		<dpd_delay>10</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail>
	</phase1>
	<phase2>
		<ikeid>1</ikeid>
		<uniqid>5de45728c26ca</uniqid>
		<mode>vti</mode>
		<reqid>1</reqid>
		<localid>
			<type>network</type>
			<address>10.254.254.1</address>
			<netbits>30</netbits>
		</localid>
		<remoteid>
			<type>address</type>
			<address>10.254.254.2</address>
		</remoteid>
		<protocol>esp</protocol>
		<encryption-algorithm-option>
			<name>aes</name>
			<keylen>128</keylen>
		</encryption-algorithm-option>
		<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
		<pfsgroup>14</pfsgroup>
		<lifetime>3600</lifetime>
		<pinghost></pinghost>
		<descr></descr>
	</phase2>
</ipsec>

    I get the following on both units.
    alt text

    Also, I have the interfaces assigned on both units, but they don't show up on the Firewall Rules page.

    The gateways that are created automatically are not green either.

    If I configure a traditional tunnel (not vti) everything works as expected.

    0
  • C

    I also see

    querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
    0
  • N

    They don't show up in the firewalls section as interfaces.

    You just write rules inside the 'ipsec" section.

    SiteA to SiteB
    SiteA out from LAN to SiteB - write firewall rules under LAN
    SiteA in from SiteB to SiteA LAN - write firewall rules under IPSEC

    0
  • C

    I'm pretty sure in VTI mode, they are supposed to show up as interfaces. I have already assigned them and they do show up under Status->Interfaces.

    0
    K
     1 Reply
  • K

    @coreybrett
    PF uses an enc0 interface to filter all ipsec traffic. (classic ipsec tunnel, VTI).

    
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 08:00:27:7e:d9:81
	hwaddr 08:00:27:7e:d9:81
	inet6 fe80::a00:27ff:fe7e:d981%em1 prefixlen 64 scopeid 0x2
	inet 10.3.100.1 netmask 0xffffff00 broadcast 10.3.100.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
enc0: flags=41<UP,RUNNING> metric 0 mtu 1536
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: enc

    Therefore, all filtering rules are created on the IPSEC tab ( including for VTI).

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy