pfSense » pfSense Plus

When configuring an IPsec VPN in VTI (route-based) mode between pfSense (using strongSwan) and Juniper firewalls (e.g., SRX), the tunnel negotiation fails or traffic does not flow due to incompatible traffic selector requirements.

Expected Behavior:
pfSense should successfully negotiate IPsec VTI tunnels with devices that require specific (narrow) traffic selectors, such as Juniper firewalls, ideally allowing for interoperability and full tunnel functionality.

Actual Behavior:

pfSense (strongSwan) attempts to negotiate the tunnel using the traffic selector 0.0.0.0/0<->0.0.0.0/0 as required for VTI mode.

Juniper firewalls require specific subnets for traffic selectors and do not accept the universal 0.0.0.0/0 value, resulting in a negotiation failure or a tunnel where no traffic flows.

Error logs indicate mismatched traffic selectors or negotiation failure.

Steps to Reproduce:

Configure IPsec VTI (route-based VPN) on pfSense with a Juniper firewall peer.

Set Phase 2 on pfSense to use 0.0.0.0/0 (the only available option for VTI mode).

Attempt to configure matching traffic selectors on Juniper (which requires specific subnets).

Attempt to establish the tunnel.