Project

General

Profile

Actions

Bug #10638

closed

ipsec VTI interface not setting tunnel parameters when phase1 Remote Gateway is 0.0.0.0

Added by Tim Carre over 4 years ago. Updated over 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
06/05/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

Hello everyone,

I am very interested in the Route-Based IPsec VPN and all the possibilities in dynamic routing made possible by the VTI interfaces.
What I need to do is to make a connection (ikev2) between a "mobile client" (dynamic IP address) and a fixed IPsec server. The client is a Juniper SRX300 here.
I know this type of phase2 tunnel is not possible with a phase 1 "Mobile Client" setup. But I am able to established a a routed IPsec VPN with a classical phase 1 referencing a Remote Gateway of "0.0.0.0". The selection is made with local and peer identifiers matching a "hostname" (FQDN) or a username (aaa@bbb).

If the Remote Gateway is set to "0.0.0.0" flows are working from the Juniper to the pfSense (4.4.5 or 4.5.0-DEVEL) but not the other way around.
When I set the Remote Gateway to the public IP of the SRX connection (what I don't want to do because the IP can change) all seem to work well.

It seems that in the former configuration the command "ifconfig ipsecXXXX tunnel pfsense_ip srx_ip" is not executed.
Wouldn't it be possible to pass the "srx_ip" at connection time ?

Regards,
Tim


Related issues

Related to Bug #12723: Disallow remote gateway of ``0.0.0.0`` for VTI modeResolvedViktor Gurov

Actions
Actions #1

Updated by Jim Pingle over 4 years ago

  • Category set to IPsec
  • Status changed from New to Not a Bug
  • Priority changed from High to Normal

No, the IP address must be present when the interface is created. You end up in a catch-22 where the tunnel wouldn't work without the interface present but you can't create the interface properly without knowing the remote endpoint.

Use a dynamic DNS hostname instead of 0.0.0.0 for the remote and that should be able to work.

Actions #2

Updated by Tim Carre over 4 years ago

Jim Pingle wrote:

No, the IP address must be present when the interface is created. You end up in a catch-22 where the tunnel wouldn't work without the interface present but you can't create the interface properly without knowing the remote endpoint.

Use a dynamic DNS hostname instead of 0.0.0.0 for the remote and that should be able to work.

Thanks for the quick response.
I have been able to set up the "ifconfig ipsecXXXX tunnel" from CLI after the interface creation and even the tunnel setup (indeed the tunnel is in established state but the forwarding is wrong because the tunnel is not set, the interface flag "RUNNING" is not present and interface can not be used).
So it seems like that command can be triggered anytime you want.

Dynamic DNS is too risky and depends and other services, etc. Not really production safe in that case.

Actions #3

Updated by Viktor Gurov over 4 years ago

Tim Carre wrote:

Jim Pingle wrote:

No, the IP address must be present when the interface is created. You end up in a catch-22 where the tunnel wouldn't work without the interface present but you can't create the interface properly without knowing the remote endpoint.

Use a dynamic DNS hostname instead of 0.0.0.0 for the remote and that should be able to work.

Thanks for the quick response.
I have been able to set up the "ifconfig ipsecXXXX tunnel" from CLI after the interface creation and even the tunnel setup (indeed the tunnel is in established state but the forwarding is wrong because the tunnel is not set, the interface flag "RUNNING" is not present and interface can not be used).
So it seems like that command can be triggered anytime you want.

Dynamic DNS is too risky and depends and other services, etc. Not really production safe in that case.

You can create Site-to-Site VPN and set 0.0.0.0 as remote gateway address, see #7095 and #7410

Actions #4

Updated by Tim Carre over 4 years ago

You can create Site-to-Site VPN and set 0.0.0.0 as remote gateway address, see #7095 and #7410

Yes that is what we do but we would need VTI on top of it to make dynamic routing possible.
Is it pfsense or strongwan managing those interfaces ?

Actions #5

Updated by Jim Pingle almost 3 years ago

  • Related to Bug #12723: Disallow remote gateway of ``0.0.0.0`` for VTI mode added
Actions

Also available in: Atom PDF