Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Any plans to support Virtual Tunnel Interfaces (VTI) for IPSEC VPNs?

    Scheduled Pinned Locked Moved IPsec
    15 Posts 7 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • awebsterA
      awebster
      last edited by

      For the sake of simplicity and compatibility with other major player's VPNs, are there any plans to support Virtual Tunnel Interfaces (VTI) for IPSEC VPNs?

      Virtual Tunnel Interfaces allow the use of dynamic routing protocols (OSPF, BGP, RIP) thus removing the need to define an IPSEC Phase 2 entry for each subnet pair that need to communicate with each other.
      Major vendors such as Cisco, Paloalto Networks, Fortinet, Juniper all support this concept of dynamic routing over VPNs which greatly simplifies the setup particularly if the firewall is participating in a full-mesh VPN scenario.ย  Furthermore VTI is compatible between major vendors and not so major including vyatta, ubnt, and others.

      GRE/GIF tunneling is for the most part not supported on the major vendor's platforms, making VTI the common denominator.

      Any thoughts appreciated..

      โ€“A.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Routed IPsec is on our radar, no specific time frame or implementation details though.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • awebsterA
          awebster
          last edited by

          Cool, thanks.

          I actually got it so tantalizingly close, but got stuckโ€ฆ

          I setup an IPSEC-SA with 0.0.0.0/32 <=> 0.0.0.0/32 which triggers "routed vpn" mode on my Paloalto firewall, so from its perspective everything is cool; VPN was up in routed mode.

          Next, I ran tcpdump on enc0, and could see the traffic arriving, including OSPF packets from Paloalto firewall, but they just weren't going anywhere else.

          Setting a tunnel endpoint IP on lo0 or lo1 didn't help
          Setting the tunnel endpoint IP on gif0 did allow the packets to be picked off enc0 and enter the kernel, and actually get replied to!ย 
          Quagga ospfd was seeing the Paloalto as a neighbor in INIT state.
          But...and there is always a but...the response packets were going back out over an IPIP tunnel and not IPSEC so it didn't work :(

          I think the path to this solution lies along the design of the gif0 driver, because it was able to pickup the packets from enc0 and actually process them.ย  It just needs to be able to put the packets back into the IPSEC tunnel in the end.

          If any of this helped to lay the groundwork toward a solution, then it was time well spent.

          โ€“A.

          1 Reply Last reply Reply Quote 0
          • F
            fredlubrano
            last edited by

            Hello,

            Is the feature VTI Routed IPsec will be include in a future release ? or is this ever in your roadmap ? and when this feature will be available ?

            Thanks

            fred

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              @jimp:

              Routed IPsec is on our radar, no specific time frame or implementation details though.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • F
                fredlubrano
                last edited by

                Hello Jimp

                I understand your answer, but this post date December 2015 when I thought meantime you had more news.
                This function is essential for choosing our future equipment.
                It is boring to choose a fortigate because pfsense Not VTI Routed IPsec . :'(

                Thanks for the reply

                Best regards,

                fred

                1 Reply Last reply Reply Quote 0
                • D
                  dimostin
                  last edited by

                  Hello guys,

                  We have any news regarding Virtual Tunnel Interfaces (VTI) for IPSEC VPNs on PfSense equipments ?

                  Regards,
                  dimostin

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Not possible currently, but the code for VTI was recently imported to FreeBSD, so it is going to show up in a future version eventually.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • B
                      Brailyn
                      last edited by

                      +1 for this:)

                      1 Reply Last reply Reply Quote 0
                      • K
                        kholmqvist
                        last edited by

                        +1 :)

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          It will be in pfSense 2.5, which will be based on FreeBSD 12, which has the IPsec VTI code. No ETA on that though, probably at least a year out, likely more.

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • T
                            tweek
                            last edited by

                            Jim, what flavor of BGP will the new VTI code utilize, and would you be willing to add a module for the BIRD internet routing daemon?

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              It's too early to say for any of that. We are looking at FRR for all routing functionality though, no current plans for bird

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • T
                                tweek
                                last edited by

                                If you could please consider BIRD for inclusion.ย  My router expert friend assures me BIRD is much more powerful and better architected than FRR.

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  @tweek:

                                  If you could please consider BIRD for inclusion.ย  My router expert friend assures me BIRD is much more powerful and better architected than FRR.

                                  Our router expert employees prefer FRR/Quagga and assure us it's better than BIRD in various ways.

                                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.