Bug #9592
VTI interface down because interface number created is greater than ipsec32768
100%
Description
In some conditions, when creating a VTI interface for routed IP, the interface number allocated is very high.
<opt9>
<descr><![CDATA[HO_SY1_WAN]]></descr>
<if>ipsec52000</if>
<enable></enable>
<spoofmac></spoofmac>
<mtu>1440</mtu>
<mss>1440</mss>
</opt9>
This seems to be happening with firewalls that already have a large number of traditional ipsec p1/p2 tunnels. The first VTI p2 I made started with ipsec52000 and the interface is permanently offline / down. Any additional VTI interfaces I create get an even higher interface number such as ipsec53000.
Obviously this breaks the VTI and you cannot get routed IP to work.
History
#1
Updated by Brett Merrick over 1 year ago
Updated by Suggested fix in pull request: https://github.com/pfsense/pfsense/pull/4071
#2
Updated by Jim Pingle over 1 year ago
Updated by - Status changed from New to Pull Request Review
#3
Updated by Jim Pingle 11 months ago
- Target version set to 2.5.0
#4
Updated by Renato Botelho 4 months ago
Updated by - Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
#5
Updated by Viktor Gurov 4 months ago
Updated by Regression fix:
https://github.com/pfsense/pfsense/pull/4459
#6
Updated by Jim Pingle 4 months ago
- Status changed from Feedback to Pull Request Review
#7
Updated by Renato Botelho 4 months ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
#8
Updated by Chris Linstruth 3 months ago
Updated by - Assignee changed from Renato Botelho to Chris Linstruth
#9
Updated by Chris Linstruth 3 months ago
I created enough tunnels to get over what used to be 32768. Along the way I created two VTI tunnels. They were given interfaces ipsec3000 and ipsec6000. After there were enough tunnels to push the interface number past 32768, the VTI was given ipsec1.
If that is how it should work, it looks good. If the VTIs are supposed to start at con1 regardless of how many tunnels are already created, it doesn't seem to do that.
#10
Updated by Chris Linstruth 3 months ago
- Assignee changed from Chris Linstruth to Renato Botelho
#11
Updated by Viktor Gurov 3 months ago
Chris Linstruth wrote:
I created enough tunnels to get over what used to be 32768. Along the way I created two VTI tunnels. They were given interfaces ipsec3000 and ipsec6000. After there were enough tunnels to push the interface number past 32768, the VTI was given ipsec1.
If that is how it should work, it looks good. If the VTIs are supposed to start at con1 regardless of how many tunnels are already created, it doesn't seem to do that.
This is correct, and used for backward compatibility with pre-2.5 vti interface naming
see https://github.com/pfsense/pfsense/blob/3b88d9712b187602e946faeecc5f4902904b6d4c/src/etc/inc/interfaces.inc#L1379
#12
Updated by Renato Botelho 3 months ago
- Status changed from Feedback to Resolved
#13
Updated by Viktor Gurov 3 months ago
- Status changed from Resolved to New
First IPsec IKEv2 creates bogus vtimap entry:
<vtimaps>
<item>
<reqid></reqid>
<index>0</index>
<ifnum>000</ifnum>
</item>
</vtimaps>
it also doesn't create vtimap for the first IPsec IKEv2 VTI.
Fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/40
#14
Updated by Viktor Gurov 3 months ago
- Status changed from New to Pull Request Review
#15
Updated by Renato Botelho 3 months ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
#16
Updated by Alhusein Zawi about 1 month ago
Updated by VTI map is created
<vtimaps>
<item>
<reqid>1</reqid>
<index>0</index>
<ifnum>1000</ifnum>
</item>
<item>
<reqid>2</reqid>
<index>0</index>
<ifnum>2000</ifnum>
</item>
</vtimaps>
IPsec IKEv2 VTI. 2.5.0.a.20201217.0648
Remove extra 00 padding of VTI interface names. Issue #9592