Project

General

Profile

Bug #9592

VTI interface down because interface number created is greater than ipsec32768

Added by Steven Perreau 3 months ago. Updated 10 days ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
06/18/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:

Description

In some conditions, when creating a VTI interface for routed IP, the interface number allocated is very high.

<opt9>
<descr><![CDATA[HO_SY1_WAN]]></descr>
<if>ipsec52000</if>
<enable></enable>
<spoofmac></spoofmac>
<mtu>1440</mtu>
<mss>1440</mss>
</opt9>

This seems to be happening with firewalls that already have a large number of traditional ipsec p1/p2 tunnels. The first VTI p2 I made started with ipsec52000 and the interface is permanently offline / down. Any additional VTI interfaces I create get an even higher interface number such as ipsec53000.

Obviously this breaks the VTI and you cannot get routed IP to work.

History

#1 Updated by Brett Merrick 3 months ago

Suggested fix in pull request: https://github.com/pfsense/pfsense/pull/4071

#2 Updated by Jim Pingle 10 days ago

  • Status changed from New to Pull Request Review

Also available in: Atom PDF