Interface (ipsec6000) not being added for VTI tunnel

IPsec
Log in to reply
  • M

    I have two 2.4.5 firewalls connected with IPSec tunnels. On both ends there is an interface assigned so that I can monitor traffic. This assignment was done using interfaces_assign.php

    On one of the sides ipsec6000 is not created and does not come up. It shows up as down on status_interfaces.php, but does not show up when running ifconfig from console. The interface can not be pinged.

    I have tried deleting the tunnel and recreating it to make sure there was nothing left from before, but that does not change anything.

    This may be related to https://forum.netgate.com/topic/152179/ipv4-vti-tunnel-set-network-mask, but I don't think it is as it only shows up on one end.

    0
  • jimp
    Rebel Alliance Developer Netgate

    Are there any errors in the system log which refer to ifconfig or ipsec6000? The 6000 is based on the VPN ID so that may not match on both sides.

    0
  • M

    Nothing that seems obvious to me :

    Apr 7 15:11:25	71117 	/interfaces.php: The command '/sbin/ifconfig 'ipsec6000' -staticarp ' returned exit code '1', the output was 'ifconfig: interface ipsec6000 does not exist'
Apr 7 15:11:25 	php-fpm 	71117 	/interfaces.php: The command '/usr/sbin/arp -d -i 'ipsec6000' -a > /dev/null 2>&1 ' returned exit code '1', the output was '

    Perhaps this one:

    Apr 7 15:25:32 	php-fpm 	89122 	/rc.newipsecdns: The remote gateway XX.YY.ZZ.AA already exists on another phase 1 entry

    Or

    Apr 7 15:11:44 	php-fpm 89122 	/rc.newipsecdns: Gateway, none 'available' for inet6, use the first one configured. ''

    I have two parallel tunnels running from a site with two WANs to the second one. I probably should have mentioned that at the start in case that makes a difference. Didn't think of mentioning it since the tunnel looks to have come up properly.

    /var/etc/ipsec/filterdns-ipsec.hosts has duplicates in it

    Apr 7 15:11:48 	php-fpm 	89122 	/rc.newipsecdns: The command '/usr/local/sbin/filterdns -p /var/run/filterdns-ipsec.pid -i 60 -c /var/etc/ipsec/filterdns-ipsec.hosts -d 1' returned exit code '1', the output was '/var/etc/ipsec/filterdns-ipsec.hosts:6: filterdns: duplicate configuration entry found filterdns: cannot open the configuration file.'
    0
  • jimp
    Rebel Alliance Developer Netgate

    That's probably why. The IPsec interface has to be built between the local and remote gateway addresses, and it can't build two tunnels to the same remote address.

    0
  • M

    Is that the same remote IP, or the same remote hostname? Would it help using a DNS CNAME, or do I need separate IPs?

    0
  • M

    I changed it to use a gateway group, as per https://forum.netgate.com/topic/52963/ipsec-multi-wan-failover now it works as expected.

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy