Bug #16219
open
pfSense IPsec VTI Mode Incompatible with Juniper Traffic Selector Requirements
0%
Description
When configuring an IPsec VPN in VTI (route-based) mode between pfSense (using strongSwan) and Juniper firewalls (e.g., SRX), the tunnel negotiation fails or traffic does not flow due to incompatible traffic selector requirements.
Expected Behavior:
pfSense should successfully negotiate IPsec VTI tunnels with devices that require specific (narrow) traffic selectors, such as Juniper firewalls, ideally allowing for interoperability and full tunnel functionality.
Actual Behavior:
pfSense (strongSwan) attempts to negotiate the tunnel using the traffic selector 0.0.0.0/0<->0.0.0.0/0 as required for VTI mode.Juniper firewalls require specific subnets for traffic selectors and do not accept the universal 0.0.0.0/0 value, resulting in a negotiation failure or a tunnel where no traffic flows.Error logs indicate mismatched traffic selectors or negotiation failure.Steps to Reproduce:
Configure IPsec VTI (route-based VPN) on pfSense with a Juniper firewall peer.Set Phase 2 on pfSense to use 0.0.0.0/0 (the only available option for VTI mode).Attempt to configure matching traffic selectors on Juniper (which requires specific subnets).Attempt to establish the tunnel.
Updated by Kris Phillips 22 days ago
- Status changed from New to Incomplete
If you're using traffic selectors, you want Policy-mode in pfSense Plus. VTIs don't use traffic selectors, so I'm confused how this is a bug, exactly.
Please advise.
Marking as Incomplete temporarily.
Updated by Henry Zhou 22 days ago
Thanks for taking care of the ticket.
Let me clarify. I don't intend to use traffic selector under VTI mode.
The issue is the VTI mode of pfsense by default sends 0.0.0.0/0 as traffic selector to the other side. While Juniper doesn't allow that, the IKE phase1 connection would not be established.
There's no way for me to override that in pfsense.
Updated by Kris Phillips 16 days ago
- Status changed from Incomplete to New
Henry Zhou wrote in #note-2:
Thanks for taking care of the ticket.
Let me clarify. I don't intend to use traffic selector under VTI mode.
The issue is the VTI mode of pfsense by default sends 0.0.0.0/0 as traffic selector to the other side. While Juniper doesn't allow that, the IKE phase1 connection would not be established.
There's no way for me to override that in pfsense.
Unfortunately, this is the only way that pfSense handles VTI tunnels. There is no way to not sent the "route all" traffic selectors of 0.0.0.0/0, as this is a dependency of strongswan. It would not work otherwise.
This would likely have to be "fixed" upstream with strongswan.