Dualstack IPsec VTI interfaces impossible in New IPsec Connections

[pfoo]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

Back when using Tunnel Settings (legacy UI), it was possible to configure an IPsec VTI tunnel with both IPv4 and IPv6 inner addresses by creating two phase 2 entries (one for ipv4, the other for ipv6). This resulted in the creation of one VTI interface for both ipv4 and ipv6 tunnels.

With the IPSec new UI, we need to configure the VTI interface ourself (in VPN->IPsec->Virtual Tunnel Interfaces).
The new UI however does not allows entering an ipv4 and ipv6 inner tunnel addresses for the same interface/reqid. This prevent having a dualstack VTI tunnel.

To Reproduce

Steps to reproduce the behavior:

1. Go to 'VPN->IPsec->Virtual Tunnel Interfaces' (/ui/ipsec/vti)
2. Edit the current IPv4 VTI and try to add an ipv6 in Tunnel local/remote address -> Error is ''Protocol families should match''
3. Try to add a new VTI interface configured with the same reqid -> error "Reqid must be unique"

Expected behavior

We should be able to enter both IPv4 and IPv6 for the same VTI / reqid in order to allows dualstack tunnel.

Describe alternatives you considered

Manually adding an ipv6 subnet to the internal tunnel restore the same functionality as legacy IPsec UI :
ifconfig ipsec1000 inet6 fdc6:6233:25a5:1111::3/127

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 23.7.2-amd64

[firestormo]

this may be related to my other report on V6 tunnels as well for VTI
#6754

I cant get a V6 VTI tunnel to add the inner IP, same as you if I manually add it works fine. For now im using V4 in new connections and V6 in the old way so it comes up properly on boot

[AdSchellevis]

ok, let's close #6754 and mark this as a feature request then

[firestormo]

ok, let's close #6754 and mark this as a feature request then

That works for me, as long as its completed before the legacy type is retired as currently there is no other way to get a V6 VTI working, Policy based works in new, but not VTI. V4 works in both.

Also as 1 tunnel dual/stack would be better.

I would even go further on the request above for single phase 1 with 2 phase 2s and ask to be able to add both V4 and V6 to phase 1 with the dual phase 2s, and then on the VTI tunnel have the 2 outer and inner as well.

Only thinking as I've seen and had v4 issues on 1 connection while v6 was still ok, or vice/versa, then at least your tunnel is still up with both v4/v6 inside.

[AdSchellevis]

@firestormo your issue seemed to be a bug, fixed in 3f5bec4. eb74bd0 adds the secondary address for dual stack as @pfoo requested

[firestormo]

Thanks @AdSchellevis for all the work and effort.

[firestormo]

@AdSchellevis confirmed working as expected dual stack, i have VTI with V4 & V6 Inside addresses using connections not legacy, FRR working with it as well, 23.7.9