Project

General

Profile

Actions
Copy link

Bug #11134

closed

VTI interfaces can be added to groups, but rules have no effect

Added by Jocelyn Viau almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Interfaces
Target version:
2.5.0
Start date:
12/06/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.5-p1
Affected Architecture:
All

Description

I created an interface group that includes a routed IPSec VTI interface (ipsec1000). Despite the fact that the VTI interface is a member of the group, traffic coming from the that interface is not evaluated by the interface group rules, traffic is only evaluated based on the Floating and IPSec rule sets (tabs). Being able to add the VTI interface to a group and not having it actually being taken into account when packet filtering occurs is causing confusion.

I see two solutions:
1. Remove the possibility of adding VTI interfaces to interface groups
2. Make the IPsec traffic coming through the VTI interface go through the interface group rules too in this order:
First: Floating
Second: Interface groups the VTI interface is a member of
Third: IPsec tab rules

I would prefer the second one ;-)

Currently, the only way of including the IPsec VTI interface into a group rule is to put all rules in the Floating tab, which is not very convenient.

Thanks.

Actions
Copy link
 #1

Updated by Viktor Gurov almost 4 years ago

Actions
Copy link
 #2

Updated by Jim Pingle almost 4 years ago

  • Subject changed from Interface group rules are not parsed on incoming IPSec traffic on a VTI interface to VTI interfaces can be added to groups, but rules have no effect
  • Target version set to 2.5.0

Updated subject. The underlying problem already has its own Redmine issue ( #8686 ) but this can be used for removing VTI interfaces from group assignment.

Actions
Copy link
 #3

Updated by Renato Botelho almost 4 years ago

  • Status changed from New to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions
Copy link
 #4

Updated by Alhusein Zawi almost 4 years ago

working as expected .

VTI interface is not showing up on interface groups assignment. (removed)

2.5.0.a.20201210.0250
Actions
Copy link
 #5

Updated by Alhusein Zawi almost 4 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #6

Updated by Jim Pingle almost 4 years ago

  • Category changed from Rules / NAT to Interfaces
Actions
Copy link

Also available in: Atom PDF