Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec VTI dualstack

    IPsec
    2
    4
    386
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dragoangelD
      dragoangel
      last edited by

      I try to create IPsec VTI routed tunnel with two 2nd phases per IPv4 and IPv6.
      In end work only first one. Second one doesn't get routed even manually. Does someone have such config work? What I can missed?

      Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
      Unifi AP-AC-LR with EAP RADIUS, US-24

      1 Reply Last reply Reply Quote 0
      • dragoangelD
        dragoangel
        last edited by

        I even tried create separated p1 per ipv6 and ipv4 and in this case it work more correctly but still applying firewall rules on interfaces with Gateway still sometimes work and sometimes no. I see that traffic pass rule by counter but not reach another part of tunnel. More over when create p2 for tunnel and vti at once in one p1 - will end up by handup pfsense. No alert, no warning will stop you from destructive manipulations.

        Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
        Unifi AP-AC-LR with EAP RADIUS, US-24

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by jimp

          It works fine for me.

          4042aeae-85e8-4b9e-a894-71b07b476fb5-image.png

          : ifconfig ipsec4000
ipsec4000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1299
	tunnel inet 198.51.100.3 --> 198.51.100.20
	inet6 fe80::20c:29ff:fe45:256%ipsec4000 prefixlen 64 scopeid 0x9
	inet6 2001:db8:3:1111::1 prefixlen 64
	inet 10.3.111.1 --> 10.3.111.2 netmask 0xfffffffc
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	reqid: 4000
	groups: ipsec

          : ping -c 2 -S 10.3.111.1 10.3.111.2
PING 10.3.111.2 (10.3.111.2) from 10.3.111.1: 56 data bytes
64 bytes from 10.3.111.2: icmp_seq=0 ttl=64 time=0.849 ms
64 bytes from 10.3.111.2: icmp_seq=1 ttl=64 time=0.687 ms

--- 10.3.111.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.687/0.768/0.849/0.081 ms

          : ping6 -c 2 -S 2001:db8:3:1111::1 2001:db8:3:1111::2
PING6(56=40+8+8 bytes) 2001:db8:3:1111::1 --> 2001:db8:3:1111::2
16 bytes from 2001:db8:3:1111::2, icmp_seq=0 hlim=64 time=3.093 ms
16 bytes from 2001:db8:3:1111::2, icmp_seq=1 hlim=64 time=1.558 ms

--- 2001:db8:3:1111::2 ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.558/2.325/3.093/0.768 ms

          : cat /etc/version
2.4.5-RELEASE

          You only need one P1 with two P2s: One for IPv4, one for IPv6. You handle anything else in routes.

          Make sure it's IKEv2.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          dragoangelD 1 Reply Last reply Reply Quote 0
          • dragoangelD
            dragoangel @jimp
            last edited by

            @jimp /64 in "address" is obvious. No... Will try.

            Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
            Unifi AP-AC-LR with EAP RADIUS, US-24

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.