New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dualstack IPsec VTI interfaces impossible in New IPsec Connections #6777
Comments
this may be related to my other report on V6 tunnels as well for VTI I cant get a V6 VTI tunnel to add the inner IP, same as you if I manually add it works fine. For now im using V4 in new connections and V6 in the old way so it comes up properly on boot |
ok, let's close #6754 and mark this as a feature request then |
That works for me, as long as its completed before the legacy type is retired as currently there is no other way to get a V6 VTI working, Policy based works in new, but not VTI. V4 works in both. Also as 1 tunnel dual/stack would be better. I would even go further on the request above for single phase 1 with 2 phase 2s and ask to be able to add both V4 and V6 to phase 1 with the dual phase 2s, and then on the VTI tunnel have the 2 outer and inner as well. Only thinking as I've seen and had v4 issues on 1 connection while v6 was still ok, or vice/versa, then at least your tunnel is still up with both v4/v6 inside. |
@firestormo your issue seemed to be a bug, fixed in 3f5bec4. eb74bd0 adds the secondary address for dual stack as @pfoo requested |
Thanks @AdSchellevis for all the work and effort. |
@AdSchellevis confirmed working as expected dual stack, i have VTI with V4 & V6 Inside addresses using connections not legacy, FRR working with it as well, 23.7.9 |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
Back when using Tunnel Settings (legacy UI), it was possible to configure an IPsec VTI tunnel with both IPv4 and IPv6 inner addresses by creating two phase 2 entries (one for ipv4, the other for ipv6). This resulted in the creation of one VTI interface for both ipv4 and ipv6 tunnels.
With the IPSec new UI, we need to configure the VTI interface ourself (in VPN->IPsec->Virtual Tunnel Interfaces).
The new UI however does not allows entering an ipv4 and ipv6 inner tunnel addresses for the same interface/reqid. This prevent having a dualstack VTI tunnel.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
We should be able to enter both IPv4 and IPv6 for the same VTI / reqid in order to allows dualstack tunnel.
Describe alternatives you considered
Manually adding an ipv6 subnet to the internal tunnel restore the same functionality as legacy IPsec UI :
ifconfig ipsec1000 inet6 fdc6:6233:25a5:1111::3/127
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 23.7.2-amd64
The text was updated successfully, but these errors were encountered: