• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Dynamic IPSec and VTI

Scheduled Pinned Locked Moved IPsec
2 Posts 1 Posters 664 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    MushyMiddle
    last edited by MushyMiddle Jan 10, 2021, 9:23 PM Jan 10, 2021, 8:52 PM

    Hi. I have a number of sites running WatchGuard hardware, but am migrating one site over to pfSense. Among my sites, I use VTI almost exclusively. I have had no issue getting WG-to-pfSense VTI to work with sites that have static public IPs, however, I'm having issues with one site that has a dynamic IP.

    Worse, this site's ISP NATs traffic. That said, in a pure WG-to-WG configuration, I had VTI working OK with dynamic IPSec. With pfSense, however, in this configuration, P1/P2 come up OK, but in the IPSec log, I see:

    Jan 10 14:51:15	charon	1176	14[KNL] <con200000|64> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found
    

    ...and no traffic will pass.

    FWIW, both ends of the tunnel have the correct /30 IPs defined. I'm using IKEv2 and AES-256/SHA256/DH-14 on both sides. I guess the one thing I haven't tried is IKEv1 Aggressive mode.

    Anyway, I've fallen back to tunnel mode, and that works fine. I just prefer the ease of configuring route-based IPSec.

    FYI, this article from WG on VTI with pfSense is pretty good if you're using static IPs on both sides:

    pfSense and Firebox BOVPN Virtual Interface Integration Guide

    I guess since I'm working OK with good old tunnel mode, I'm not necessarily looking for a solution, but it's notable that WG seems to have pretty good dynamic IPSec VTI support, while pfSense doesn't seem to handle this scenario. It seems that WG is using GRE in Firebox-to-Firebox VTI - perhaps that's the difference?

    M 1 Reply Last reply Jan 14, 2021, 12:43 AM Reply Quote 0
    • M
      MushyMiddle @MushyMiddle
      last edited by Jan 14, 2021, 12:43 AM

      ...adding that I now see the same "query policy ... in failed..." messages for working VTI tunnels, so that message may be a red herring as far as this issue.

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received