IPSEC VTI - unable to send any traffic. Receive counter increase
-
I have a site2site set up between an OPNsense and PFsense device along with FRR routing. After some time with troubleshooting the conclusion is that the PFsense is definitely at fault but doesn't seem to know where/why.
IPsec phase 1 is up
IPsec phase 2 is up and I see inbound traffic from the OPNsense side.
I have a permit any/any rule under the IPsec interface and sure enough, I see OSPF hellos and BGP syn requests from the OPNsense coming across the VPN tunnel. This concludes at least that incoming traffic and remote site is set up correctly.
PFsense output is zero. I have gateway monitoring set up and it's still pending. From the pfsense side pinging the other end of the ipsec VTI tunnel I get no response. Furthermore, I have enabled not just OSPF but BGP (to eliminate some kind of multicast transmission issue) but BGP doesn't work as well. In theory, this should all be a few clicks and I'm off to the races but for some reason, the VTI interface is not sending traffic across the tunnel.
The good news is that the VTI interface on the PFsense is reachable locally. I can ping it from another subnet locally at the pfsense location so at least the software sees the interface up and routing internally works. Any ideas?
Phase 2 output:
Bytes-In: 6,800 (7 KiB)
Packets-In: 108
Bytes-Out: 0 (0 B)
Packets-Out: 0OPNsense:
From OPNsense2022-03-05T20:04:13-05:00 Informational charon 16[KNL] <con1|539> querying policy 0.0.0.0/0 === 0.0.0.0/0 out failed, not found
2022-03-05T19:59:54-05:00 Informational charon 05[IKE] <con1|526> schedule delete of duplicate IKE_SA for peer 'x.x.x.x' due to uniqueness policy and suspected reauthentication
From PFSESE. I noticed the transform sets are different. Odd.
Mar 5 20:02:38 charon 28216 15[CFG] local_ts = 10.6.106.1/32|/0 0.0.0.0/0|/0 ::/0|/0
Mar 5 20:02:38 charon 28216 15[CFG] remote_ts = 0.0.0.0/0|/0 0.0.0.0/0|/0 ::/0|/0