Dynamic IPSec and VTI

MushyMiddle · Jan 10, 2021, 9:23 PM

Hi. I have a number of sites running WatchGuard hardware, but am migrating one site over to pfSense. Among my sites, I use VTI almost exclusively. I have had no issue getting WG-to-pfSense VTI to work with sites that have static public IPs, however, I'm having issues with one site that has a dynamic IP.

Worse, this site's ISP NATs traffic. That said, in a pure WG-to-WG configuration, I had VTI working OK with dynamic IPSec. With pfSense, however, in this configuration, P1/P2 come up OK, but in the IPSec log, I see:

Jan 10 14:51:15	charon	1176	14[KNL] <con200000|64> querying policy 0.0.0.0/0|/0 === 0.0.0.0/0|/0 in failed, not found

...and no traffic will pass.

FWIW, both ends of the tunnel have the correct /30 IPs defined. I'm using IKEv2 and AES-256/SHA256/DH-14 on both sides. I guess the one thing I haven't tried is IKEv1 Aggressive mode.

Anyway, I've fallen back to tunnel mode, and that works fine. I just prefer the ease of configuring route-based IPSec.

FYI, this article from WG on VTI with pfSense is pretty good if you're using static IPs on both sides:

pfSense and Firebox BOVPN Virtual Interface Integration Guide

I guess since I'm working OK with good old tunnel mode, I'm not necessarily looking for a solution, but it's notable that WG seems to have pretty good dynamic IPSec VTI support, while pfSense doesn't seem to handle this scenario. It seems that WG is using GRE in Firebox-to-Firebox VTI - perhaps that's the difference?

MushyMiddle · Jan 14, 2021, 12:43 AM

...adding that I now see the same "query policy ... in failed..." messages for working VTI tunnels, so that message may be a red herring as far as this issue.