Project

General

Profile

Bug #9592

VTI interface down because interface number created is greater than ipsec32768

Added by Steven Perreau over 1 year ago. Updated 29 minutes ago.

Status:
Feedback
Priority:
Normal
Category:
IPsec
Target version:
Start date:
06/18/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:

Description

In some conditions, when creating a VTI interface for routed IP, the interface number allocated is very high.

<opt9>
<descr><![CDATA[HO_SY1_WAN]]></descr>
<if>ipsec52000</if>
<enable></enable>
<spoofmac></spoofmac>
<mtu>1440</mtu>
<mss>1440</mss>
</opt9>

This seems to be happening with firewalls that already have a large number of traditional ipsec p1/p2 tunnels. The first VTI p2 I made started with ipsec52000 and the interface is permanently offline / down. Any additional VTI interfaces I create get an even higher interface number such as ipsec53000.

Obviously this breaks the VTI and you cannot get routed IP to work.

Associated revisions

Revision 3b85b43b (diff)
Added by Viktor Gurov about 1 month ago

Remove extra 00 padding of VTI interface names. Issue #9592

Revision 1b4cb00f (diff)
Added by Viktor Gurov 24 days ago

IPsec PH1 creation fix. Issue #9592

History

#1 Updated by Brett Merrick over 1 year ago

Suggested fix in pull request: https://github.com/pfsense/pfsense/pull/4071

#2 Updated by Jim Pingle about 1 year ago

  • Status changed from New to Pull Request Review

#3 Updated by Jim Pingle 8 months ago

  • Target version set to 2.5.0

#4 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#6 Updated by Jim Pingle 28 days ago

  • Status changed from Feedback to Pull Request Review

#7 Updated by Renato Botelho 24 days ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

#8 Updated by Chris Linstruth about 4 hours ago

  • Assignee changed from Renato Botelho to Chris Linstruth

#9 Updated by Chris Linstruth 29 minutes ago

I created enough tunnels to get over what used to be 32768. Along the way I created two VTI tunnels. They were given interfaces ipsec3000 and ipsec6000. After there were enough tunnels to push the interface number past 32768, the VTI was given ipsec1.

If that is how it should work, it looks good. If the VTIs are supposed to start at con1 regardless of how many tunnels are already created, it doesn't seem to do that.

#10 Updated by Chris Linstruth 29 minutes ago

  • Assignee changed from Chris Linstruth to Renato Botelho

Also available in: Atom PDF