Bug #9592
VTI interface down because interface number created is greater than ipsec32768
Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
06/18/2019
Due date:
% Done:
0%
Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:
Description
In some conditions, when creating a VTI interface for routed IP, the interface number allocated is very high.
<opt9>
<descr><![CDATA[HO_SY1_WAN]]></descr>
<if>ipsec52000</if>
<enable></enable>
<spoofmac></spoofmac>
<mtu>1440</mtu>
<mss>1440</mss>
</opt9>
This seems to be happening with firewalls that already have a large number of traditional ipsec p1/p2 tunnels. The first VTI p2 I made started with ipsec52000 and the interface is permanently offline / down. Any additional VTI interfaces I create get an even higher interface number such as ipsec53000.
Obviously this breaks the VTI and you cannot get routed IP to work.
History
#1
Updated by Brett Merrick 3 months ago
Updated by Suggested fix in pull request: https://github.com/pfsense/pfsense/pull/4071
#2
Updated by Jim Pingle 10 days ago
Updated by - Status changed from New to Pull Request Review