Bug #9592
closedVTI interface down because interface number created is greater than ipsec32768
100%
Description
In some conditions, when creating a VTI interface for routed IP, the interface number allocated is very high.
<opt9>
<descr><![CDATA[HO_SY1_WAN]]></descr>
<if>ipsec52000</if>
<enable></enable>
<spoofmac></spoofmac>
<mtu>1440</mtu>
<mss>1440</mss>
</opt9>
This seems to be happening with firewalls that already have a large number of traditional ipsec p1/p2 tunnels. The first VTI p2 I made started with ipsec52000 and the interface is permanently offline / down. Any additional VTI interfaces I create get an even higher interface number such as ipsec53000.
Obviously this breaks the VTI and you cannot get routed IP to work.
Updated by Brett Merrick over 5 years ago
Suggested fix in pull request: https://github.com/pfsense/pfsense/pull/4071
Updated by Jim Pingle about 5 years ago
- Status changed from New to Pull Request Review
Updated by Jim Pingle over 4 years ago
- Target version set to 2.5.0
Updated by Renato Botelho about 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Viktor Gurov about 4 years ago
Regression fix:
https://github.com/pfsense/pfsense/pull/4459
Updated by Jim Pingle about 4 years ago
- Status changed from Feedback to Pull Request Review
Updated by Renato Botelho about 4 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Chris Linstruth about 4 years ago
- Assignee changed from Renato Botelho to Chris Linstruth
Updated by Chris Linstruth about 4 years ago
I created enough tunnels to get over what used to be 32768. Along the way I created two VTI tunnels. They were given interfaces ipsec3000 and ipsec6000. After there were enough tunnels to push the interface number past 32768, the VTI was given ipsec1.
If that is how it should work, it looks good. If the VTIs are supposed to start at con1 regardless of how many tunnels are already created, it doesn't seem to do that.
Updated by Chris Linstruth about 4 years ago
- Assignee changed from Chris Linstruth to Renato Botelho
Updated by Viktor Gurov about 4 years ago
Chris Linstruth wrote:
I created enough tunnels to get over what used to be 32768. Along the way I created two VTI tunnels. They were given interfaces ipsec3000 and ipsec6000. After there were enough tunnels to push the interface number past 32768, the VTI was given ipsec1.
If that is how it should work, it looks good. If the VTIs are supposed to start at con1 regardless of how many tunnels are already created, it doesn't seem to do that.
This is correct, and used for backward compatibility with pre-2.5 vti interface naming
see https://github.com/pfsense/pfsense/blob/3b88d9712b187602e946faeecc5f4902904b6d4c/src/etc/inc/interfaces.inc#L1379
Updated by Renato Botelho about 4 years ago
- Status changed from Feedback to Resolved
Updated by Viktor Gurov about 4 years ago
- Status changed from Resolved to New
First IPsec IKEv2 creates bogus vtimap entry:
<vtimaps> <item> <reqid></reqid> <index>0</index> <ifnum>000</ifnum> </item> </vtimaps>
it also doesn't create vtimap for the first IPsec IKEv2 VTI.
Fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/40
Updated by Viktor Gurov about 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho about 4 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Alhusein Zawi almost 4 years ago
VTI map is created
<vtimaps>
<item>
<reqid>1</reqid>
<index>0</index>
<ifnum>1000</ifnum>
</item>
<item>
<reqid>2</reqid>
<index>0</index>
<ifnum>2000</ifnum>
</item>
</vtimaps>
IPsec IKEv2 VTI. 2.5.0.a.20201217.0648
Updated by Renato Botelho almost 4 years ago
- Status changed from Feedback to Resolved