VTI IPv6 Gateway Creation Issue

MMapplebeck

I am in the process of switching from OpenVPN to IPSec VTI tunnels between our 3 datacenter sites, and am noticing a difference in behavior between IPv4 and IPv6 gateway creation. When the IPv4 VTI P2 is created, a matching IPv4 gateway is created using the Remote Network Address that is set as both the Gateway, and the Monitor IP, all works well, however, when I create my IPv6 VTI P2, I get a gateway created that instead shows the Gateway as dynamic with no Monitor, which then sits in a persistent state of Pending. The only difference I can find is that for the IPv4 side, I am able to use a /30, however, as noted in many other posts for the IPv6 side, you need to use a /64, otherwise things don't work(I have also tried to use a /126 and /127 which breaks the tunnel). The only way to bring the gateway up is to either manually edit the gateway to add the far side IP as the Monitor(I can't modify the gateway itself as it is locked in as Dynamic), or just tell it to Disable Gateway Monitoring altogether. As soon as this is done, the proper gateway shows up automatically.

Am I doing something wrong, or is this a bug? Honestly, I'd really rather just handle the gateway creation myself manually, just like I do for my WireGuard tunnels.

This is on pfSense + 21.05.2(can reproduce on 22.02 as well) between an HA pair of XG-7100 and another HA pair of XG-1537 units.

I have attached some images below, I also noticed a bug with editing a VTI P2 after it's been created, as seen in my P2 images, opening the tunnel after initial creation using the proper Local Network as "Network", and the Remote Network as "Address", shows both set as Address.

Thanks,

• Marc

Gateways:

Gateway Status:

IPv4 P2:

IPv6 P2:

MMapplebeck

Thought I'd give this post a bump as I've upgraded to 22.02 and am still having the same issues. I also noticed, the second item I mentioned about the display of P2 Network Type reverting to Address, was shown in Redmine as fixed, but I am still able to reproduce the issue.

pfoo

I think I'm hitting the same issue in 2.6.0-RELEASE

I have a working VTI IPv4 routing scenario linking two LANs and wanted to add ipv6
I added a second P2 on both pfsenses nodes configured as follow :

On node A :
        local  fd87:dcb9:c321:6610::01/126
        remote fd87:dcb9:c321:6610::02
On node B :
        local  fd87:dcb9:c321:6610::02/126
        remote fd87:dcb9:c321:6610::01

The ipv6 tunnel come up successfully, however gateways are not defined correctly :

• In dashboard/gateway widget for OPT1_VTIV6 : ipv6 is displayed as ~, RTT pending, status Unknown
• In system_gateways.php, a gateway named OPT1_VTIV6 appears but stays empty with no ipv6 nor monitor ip.

Interfaces are configured correctly :
Node A : inet6 fd87:dcb9:c321:6610::1 prefixlen 126
Node B : inet6 fd87:dcb9:c321:6610::2 prefixlen 126

I'm however able to ping both sides of the vti tunnel

If I add a static route from my lans to OPT1_VTIV6, boths lans can ping themself
However, netstat -rn for the static route shows :
2001:41c9:1111:d2d::/64 ipsec1 US ipsec1
Which confirms the lan is routed directly to the interface and not to the ipv6 vti tunnel like it is done for ipv4

If I add a manual gateway 'test' (on node B for example) on interface OPT1 with ip fd87:dcb9:c321:6610::01 -> the dashboard displays this gateway correctly
I can then define my static route on this 'test' gateway
Now netstat -rn shows this for the static route :
2001:41c9:1111:d2d::/64 fd87:dcb9:c321:6610::1 UGS ipsec1
(same behaviour as with ipv4 vti)

Traffic is passing correctly in both scenarios, however it does not feel normal to have a route directly to the interface in this case.

I tried to set P2 local ip to single address (fd87:dcb9:c321:6610::01) or wider range fd87:dcb9:c321:6610::01/64) with no more success
If I disable gateway monitoring : no changes
If I force a monitoring IP, the gateway is shown as 'Online' but still with empty ipv6

Any clue on fixing this ? Or to disable automatic gateway creation ?