Interface (ipsec6000) not being added for VTI tunnel

mix_room

I have two 2.4.5 firewalls connected with IPSec tunnels. On both ends there is an interface assigned so that I can monitor traffic. This assignment was done using interfaces_assign.php

On one of the sides ipsec6000 is not created and does not come up. It shows up as down on status_interfaces.php, but does not show up when running ifconfig from console. The interface can not be pinged.

I have tried deleting the tunnel and recreating it to make sure there was nothing left from before, but that does not change anything.

This may be related to https://forum.netgate.com/topic/152179/ipv4-vti-tunnel-set-network-mask, but I don't think it is as it only shows up on one end.

jimp

Are there any errors in the system log which refer to ifconfig or ipsec6000? The 6000 is based on the VPN ID so that may not match on both sides.

mix_room

Nothing that seems obvious to me :

Apr 7 15:11:25	71117 	/interfaces.php: The command '/sbin/ifconfig 'ipsec6000' -staticarp ' returned exit code '1', the output was 'ifconfig: interface ipsec6000 does not exist'
Apr 7 15:11:25 	php-fpm 	71117 	/interfaces.php: The command '/usr/sbin/arp -d -i 'ipsec6000' -a > /dev/null 2>&1 ' returned exit code '1', the output was '

Perhaps this one:

Apr 7 15:25:32 	php-fpm 	89122 	/rc.newipsecdns: The remote gateway XX.YY.ZZ.AA already exists on another phase 1 entry

Or

Apr 7 15:11:44 	php-fpm 89122 	/rc.newipsecdns: Gateway, none 'available' for inet6, use the first one configured. ''

I have two parallel tunnels running from a site with two WANs to the second one. I probably should have mentioned that at the start in case that makes a difference. Didn't think of mentioning it since the tunnel looks to have come up properly.

/var/etc/ipsec/filterdns-ipsec.hosts has duplicates in it

Apr 7 15:11:48 	php-fpm 	89122 	/rc.newipsecdns: The command '/usr/local/sbin/filterdns -p /var/run/filterdns-ipsec.pid -i 60 -c /var/etc/ipsec/filterdns-ipsec.hosts -d 1' returned exit code '1', the output was '/var/etc/ipsec/filterdns-ipsec.hosts:6: filterdns: duplicate configuration entry found filterdns: cannot open the configuration file.'

jimp

That's probably why. The IPsec interface has to be built between the local and remote gateway addresses, and it can't build two tunnels to the same remote address.

mix_room

Is that the same remote IP, or the same remote hostname? Would it help using a DNS CNAME, or do I need separate IPs?

mix_room

I changed it to use a gateway group, as per https://forum.netgate.com/topic/52963/ipsec-multi-wan-failover now it works as expected.