Project

General

Profile

Actions

Bug #8628

closed

IPsec VTI - P2 "remote network" field accepts only host address

Added by Vladimir Lind over 5 years ago. Updated over 5 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
-
Start date:
07/10/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4
Affected Architecture:

Description

In routed IPsec you can specify "remote network" - but in fact "mask" field is grayed out. You can set only a host (/32) address, what is reflected in routing table:

192.168.152.1 link#7 UH 9 1400 ipsec1000

This setting seems not be useful because we are routing networks, not just hosts across routed ipsec tunnel.

I think there are two options - 1) remove "Local/Remote Network" fields and let do all the routing via assigned VTI interface with separately configured static or dynamic routes.
2) Allow to set static network (not just /32 host) routes under P2

Version - 2.4.4-CE Mon Jul 09 16:03:52 EDT 2018

Actions #1

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Not a Bug
  • Assignee set to Jim Pingle
  • Target version deleted (2.4.4)

That is by design. The VTI local/remote pair of addresses form a point-to-point "tunnel network" similar to OpenVPN static key tunnels, they do not specify traffic to carry across IPsec in this instance. The netmask for this shared transit network is specified on the local line. Think of it more like a GRE or GIF local/remote line.

With VTI, routes to manage traffic flow are setup in routing, not in IPsec P2 settings.

https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-routed.html

Actions

Also available in: Atom PDF