Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Interface (ipsec6000) not being added for VTI tunnel

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 614 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mix_room
      last edited by mix_room

      I have two 2.4.5 firewalls connected with IPSec tunnels. On both ends there is an interface assigned so that I can monitor traffic. This assignment was done using interfaces_assign.php

      On one of the sides ipsec6000 is not created and does not come up. It shows up as down on status_interfaces.php, but does not show up when running ifconfig from console. The interface can not be pinged.

      I have tried deleting the tunnel and recreating it to make sure there was nothing left from before, but that does not change anything.

      This may be related to https://forum.netgate.com/topic/152179/ipv4-vti-tunnel-set-network-mask, but I don't think it is as it only shows up on one end.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Are there any errors in the system log which refer to ifconfig or ipsec6000? The 6000 is based on the VPN ID so that may not match on both sides.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          mix_room
          last edited by mix_room

          Nothing that seems obvious to me :

          Apr 7 15:11:25	71117 	/interfaces.php: The command '/sbin/ifconfig 'ipsec6000' -staticarp ' returned exit code '1', the output was 'ifconfig: interface ipsec6000 does not exist'
          Apr 7 15:11:25 	php-fpm 	71117 	/interfaces.php: The command '/usr/sbin/arp -d -i 'ipsec6000' -a > /dev/null 2>&1 ' returned exit code '1', the output was '
          

          Perhaps this one:

          Apr 7 15:25:32 	php-fpm 	89122 	/rc.newipsecdns: The remote gateway XX.YY.ZZ.AA already exists on another phase 1 entry
          

          Or

          Apr 7 15:11:44 	php-fpm 89122 	/rc.newipsecdns: Gateway, none 'available' for inet6, use the first one configured. ''
          

          I have two parallel tunnels running from a site with two WANs to the second one. I probably should have mentioned that at the start in case that makes a difference. Didn't think of mentioning it since the tunnel looks to have come up properly.

          /var/etc/ipsec/filterdns-ipsec.hosts has duplicates in it

          Apr 7 15:11:48 	php-fpm 	89122 	/rc.newipsecdns: The command '/usr/local/sbin/filterdns -p /var/run/filterdns-ipsec.pid -i 60 -c /var/etc/ipsec/filterdns-ipsec.hosts -d 1' returned exit code '1', the output was '/var/etc/ipsec/filterdns-ipsec.hosts:6: filterdns: duplicate configuration entry found filterdns: cannot open the configuration file.'
          
          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            That's probably why. The IPsec interface has to be built between the local and remote gateway addresses, and it can't build two tunnels to the same remote address.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              mix_room
              last edited by

              Is that the same remote IP, or the same remote hostname? Would it help using a DNS CNAME, or do I need separate IPs?

              1 Reply Last reply Reply Quote 0
              • M
                mix_room
                last edited by

                I changed it to use a gateway group, as per https://forum.netgate.com/topic/52963/ipsec-multi-wan-failover now it works as expected.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.