VTI tunnels behaving strange
-
I've got 4 VTI tunnels on a box running 2.4.5_1. I'll call that box 0
ipsec1000 - goes to box 1
ipsec8000 - goes to box 1
ipsec6000 - goes to box 2
ipsec7000 - goes to box 3From the box 0 I can ping both remote vti endpoints on box 1 but not box 2 or box 3.
However I can ping the box 0 from the other side (which is also pfsense 2.4.5_1) with no problem in all cases.
What's strange is that if I tcpdump -i enc0 on box 2 or box 3 and ping from box 0 with a source address that is correct for that vti I see the traffic come across that interface but not the ipsec interface associated with the VTI.
I've torn down tunnels, rebooted everything, cleared state tables. Am I up against some limitation here?
I see no log message of relevance but what started this off is the gateway status on box 0 shows the gateways associated with ipsec6000, ipsec7000 as down. When I go to the gateway status on the other side of the VTI it shows as up.
ipsec1000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 7.7.7.7 --> 8.8.8.8
inet6 fe80::ae1f:6bff:fe7c:f530%ipsec1000 prefixlen 64 scopeid 0x12
inet 10.248.1.2 --> 10.248.1.1 netmask 0xfffffffc
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
reqid: 1000
groups: ipsec
ipsec8000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 4.4.4.4--> 4.4.4.5
inet6 fe80::ae1f:6bff:fe7c:f530%ipsec8000 prefixlen 64 scopeid 0x15
inet 10.248.0.2 --> 10.248.0.1 netmask 0xfffffffc
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
reqid: 8000
groups: ipsec
ipsec7000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 1.2.3.4 --> 5.6.7.8
inet6 fe80::ae1f:6bff:fe7c:f530%ipsec7000 prefixlen 64 scopeid 0x16
inet 10.248.3.2 --> 10.248.3.1 netmask 0xfffffffc
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
reqid: 7000
groups: ipsec
ipsec6000: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
tunnel inet 1.2.3.4 --> 5.6.7.8
inet6 fe80::ae1f:6bff:fe7c:f530%ipsec6000 prefixlen 64 scopeid 0x17
inet 10.248.2.2 --> 10.248.2.1 netmask 0xfffffffc
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
reqid: 6000
groups: ipsec