Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    vti IPsec, gateway not adding static routes on 24.11

    IPsec
    2
    4
    91
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lmassera
      last edited by

      I have an IPSEC VPN with a customer (on my side a pfsense 24.11, customer is a Palo Alto).
      We are trying to establish a VPN with a single shared IP on my side and multiple different ranges on the customer side. Since there are many address ranges and to avoid having several tunnels, we decided to try a single tunnel were I share a single IP on my side and the customer shares 0.0.0.0/0 on his side, and then route only the appropriate traffic through the tunnel with static routes (a routed tunnel connection)

      So I created the single P2 tunnel, vti mode, from my single address to the customers 0.0.0.0/0 range.
      The customer configured the tunnel on his side as a routed tunnel on the Palo Alto, sharing 0.0.0.0/0 on both sides.

      The issue is that when bringing up the tunnel, it is created as 0.0.0.0/0 to 0.0.0.0/0. This is the appropriate part of the log:

      9d3c85ac-0c09-40b7-a75d-3fc0c87a0c5e-image.png

      Since the tunnel is created from 0.0.0.0/0 local, then when I create the gateway it doesn't get an address, and so the static routes cannot be added.

      This is somewhat related to https://forum.netgate.com/post/1172294, but isn't the same scenario.

      Is there a setting for me to avoid proposing the 0.0.0.0/0 range locally?

      G 1 Reply Last reply Reply Quote 0
      • G
        Gblenn @lmassera
        last edited by

        @lmassera said in vti IPsec, gateway not adding static routes on 24.11:

        We are trying to establish a VPN with a single shared IP on my side and multiple different ranges on the customer side

        Just trying to understand, but are you saying you have e.g. one subnet on your side and the Palo Alto site has a whole range of subnets, all of which you want to reach from your side?
        If so, doesn't one VTI tunnel and a static route via that tunnel for each of the Palo Alto subnets work?
        But I'm thinking you can't anyway propose 0.0.0.0/0 for the pfsense side ? Perhaps you can keep that for the PA side but rather just set a /32 or /30 address on the pfsense side?

        L 1 Reply Last reply Reply Quote 0
        • L
          lmassera @Gblenn
          last edited by

          @Gblenn Thanks for your answer. I am doing what you are proposing. On the pfsense side I propose a single /32 range.

          9fbab17d-61b6-4d38-8c31-900e6651d335-image.png

          But the pfsense adds to the proposal automatically 0.0.0.0/0 and ::/0.
          Since the Palo Alto is configured to use 0.0.0.0/0 on both sides (it seems they cannot do anything else if it is a routed tunnel), when negotiating the P2 the tunnel is established as 0.0.0.0/0 - 0.0.0.0/0.

          I suppose there is a reason for adding these networks by default to the proposal, but in my case it makes it impossible to set up a gateway on my side.

          G 1 Reply Last reply Reply Quote 0
          • G
            Gblenn @lmassera
            last edited by Gblenn

            @lmassera Hmm, sounds a bit like Sophos XG I have at one end of one of my tunnels. But that is only half the truth, since on the Sophos with VTI setup I also have the xrfm interface which is automatically added when I select VTI. I then set it up with a /30 (or /24) subnet matching that of pfsense. I wonder if there is something amiss on their side then?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.