Project

General

Profile

Actions

Bug #10638

closed

ipsec VTI interface not setting tunnel parameters when phase1 Remote Gateway is 0.0.0.0

Added by Tim Carre over 4 years ago. Updated over 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
06/05/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

Hello everyone,

I am very interested in the Route-Based IPsec VPN and all the possibilities in dynamic routing made possible by the VTI interfaces.
What I need to do is to make a connection (ikev2) between a "mobile client" (dynamic IP address) and a fixed IPsec server. The client is a Juniper SRX300 here.
I know this type of phase2 tunnel is not possible with a phase 1 "Mobile Client" setup. But I am able to established a a routed IPsec VPN with a classical phase 1 referencing a Remote Gateway of "0.0.0.0". The selection is made with local and peer identifiers matching a "hostname" (FQDN) or a username (aaa@bbb).

If the Remote Gateway is set to "0.0.0.0" flows are working from the Juniper to the pfSense (4.4.5 or 4.5.0-DEVEL) but not the other way around.
When I set the Remote Gateway to the public IP of the SRX connection (what I don't want to do because the IP can change) all seem to work well.

It seems that in the former configuration the command "ifconfig ipsecXXXX tunnel pfsense_ip srx_ip" is not executed.
Wouldn't it be possible to pass the "srx_ip" at connection time ?

Regards,
Tim


Related issues

Related to Bug #12723: Disallow remote gateway of ``0.0.0.0`` for VTI modeResolvedViktor Gurov

Actions
Actions

Also available in: Atom PDF