{"id":1216,"date":"2025-07-30T21:50:17","date_gmt":"2025-07-30T19:50:17","guid":{"rendered":"https:\/\/dyb.fr\/?p=1216"},"modified":"2025-07-30T21:50:17","modified_gmt":"2025-07-30T19:50:17","slug":"bug-ipsec-vti-dans-pfsense-2-7-2-ce-quil-faut-savoir-avant-de-deployer","status":"publish","type":"post","link":"https:\/\/dyb.eu\/blog\/bug-ipsec-vti-dans-pfsense-2-7-2-ce-quil-faut-savoir-avant-de-deployer\/","title":{"rendered":"\ud83d\udea8 Bug IPsec VTI dans pfSense 2.7.2 : ce qu\u2019il faut savoir avant de d\u00e9ployer"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Chez DYB, nous d\u00e9ployons et s\u00e9curisons des infrastructures r\u00e9seau critiques pour nos clients multi-sites. Aujourd\u2019hui, nous souhaitons partager une alerte importante sur un <strong>bug structurel dans pfSense 2.7.2<\/strong>, affectant les tunnels <strong>IPsec VTI<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83e\udde0 Rappel : Pourquoi utiliser IPsec VTI ?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Le mode <strong>Virtual Tunnel Interface (VTI)<\/strong> permet d\u2019associer un tunnel IPsec \u00e0 une vraie interface r\u00e9seau. Il offre :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Un routage fin<\/strong> (static, failover, BGP\/OSPF),<\/li>\n\n\n\n<li><strong>Une visibilit\u00e9 compl\u00e8te<\/strong> : statistiques, MTU, r\u00e8gles pare-feu,<\/li>\n\n\n\n<li>Une configuration compatible <strong>SD-WAN<\/strong>, <strong>multi-sites<\/strong>, ou <strong>dual-WAN<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Mais cette flexibilit\u00e9 repose sur une configuration r\u00e9seau stable. Et c\u2019est l\u00e0 que la version 2.7.2 pose probl\u00e8me.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udc1e Le bug rencontr\u00e9 : gateway fant\u00f4me et routes absentes<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Dans plusieurs d\u00e9ploiements chez nos clients et en environnement de test, nous avons constat\u00e9 :<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Probl\u00e8me<\/th><th>D\u00e9tail technique<\/th><\/tr><\/thead><tbody><tr><td>\u274c Pas de gateway auto-cr\u00e9\u00e9e<\/td><td>L\u2019interface <code>ipsecX<\/code> est visible, mais <strong>aucune gateway n\u2019est associ\u00e9e automatiquement<\/strong> dans le routage<\/td><\/tr><tr><td>\u274c IP non configurable depuis l\u2019UI<\/td><td>L\u2019IP est g\u00e9r\u00e9e via la Phase 2, pas via <em>Interfaces<\/em> &gt; <em>ipsecX<\/em> (champ gris\u00e9)<\/td><\/tr><tr><td>\u274c Routes VTI supprim\u00e9es au reboot<\/td><td>Apr\u00e8s red\u00e9marrage, <strong>les routes disparaissent<\/strong> ou sont inactives<\/td><\/tr><tr><td>\u26a0\ufe0f Failover impossible<\/td><td>Sans gateway fonctionnelle, <strong>impossible d\u2019utiliser le tunnel dans une strat\u00e9gie de bascule<\/strong> WAN<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83e\uddea Exemples concrets en client<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Lors d\u2019un d\u00e9ploiement inter-sites (infra principale \u2194 datacenter OVH), nous avons :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Un tunnel IPsec VTI avec \/30 entre les deux pfSense,<\/li>\n\n\n\n<li>Un double lien WAN (FTTH public + FTTO priv\u00e9),<\/li>\n\n\n\n<li>Une logique de routage par interface (SMB via FTTH, RDP via FTTO).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83c\udfaf R\u00e9sultat : les <strong>trafics critiques ne passent pas<\/strong>, ou sont renvoy\u00e9s via la mauvaise interface. Le tunnel est actif, mais <strong>la gateway est absente<\/strong>, et le routage \u00e9choue.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd27 Workaround appliqu\u00e9 chez DYB<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">En attendant la correction dans une version sup\u00e9rieure, voici ce que nos experts r\u00e9seau recommandent :<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Cr\u00e9er manuellement la gateway<\/strong>\n<ul class=\"wp-block-list\">\n<li>Allez dans <em>System > Routing > Gateways<\/em><\/li>\n\n\n\n<li>Interface : <code>ipsecX<\/code><\/li>\n\n\n\n<li>IP : celle de la phase 2 distante (souvent <code>x.x.x.2<\/code>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>D\u00e9finir les routes statiques<\/strong>\n<ul class=\"wp-block-list\">\n<li>Via <em>System > Routing > Static Routes<\/em> ou via des r\u00e8gles de pare-feu avec gateway d\u00e9finie<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Surveiller les policies d\u2019\u00e9tat<\/strong>\n<ul class=\"wp-block-list\">\n<li>Si n\u00e9cessaire, passer temporairement en <em>Floating States<\/em> via <em>System > Advanced > Firewall\/NAT<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2705 Correction en pfSense 2.8.0<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">La version <strong>pfSense CE 2.8.0<\/strong>, publi\u00e9e r\u00e9cemment, r\u00e9sout ces probl\u00e8mes :<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Correctif<\/th><th>Statut 2.8.0<\/th><\/tr><\/thead><tbody><tr><td>Gateway VTI auto-cr\u00e9\u00e9e<\/td><td>\u2714\ufe0f Oui<\/td><\/tr><tr><td>Restauration des routes VTI<\/td><td>\u2714\ufe0f Oui<\/td><\/tr><tr><td>Interface assignable proprement<\/td><td>\u2714\ufe0f Oui<\/td><\/tr><tr><td>Compatibilit\u00e9 avec state policy<\/td><td>\u2714\ufe0f Am\u00e9lior\u00e9e<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udee1\ufe0f Ce que fait DYB pour ses clients<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Chez DYB, nous avons <strong>mis \u00e0 jour nos templates de d\u00e9ploiement VPN VTI<\/strong>, et appliqu\u00e9 :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Des scripts de v\u00e9rification de gateway IPsec \u00e0 chaque reboot,<\/li>\n\n\n\n<li>Un monitoring sp\u00e9cifique des routes actives via Prometheus\/Zabbix,<\/li>\n\n\n\n<li>Des tests de failover WAN avec capture automatique en cas de dysfonction.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Pour nos clients ayant encore des versions 2.7.x, <strong>nous recommandons une migration prioritaire vers 2.8.0<\/strong>, surtout si une strat\u00e9gie de r\u00e9silience WAN est en place.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd17 Vous \u00eates concern\u00e9 ?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vous avez un pfSense avec plusieurs liens WAN ?<\/li>\n\n\n\n<li>Vous utilisez IPsec VTI en tunnel inter-sites ?<\/li>\n\n\n\n<li>Vous constatez des pertes r\u00e9seau sans explication claire ?<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83c\udfaf <strong>Contactez nos \u00e9quipes techniques<\/strong> : nous auditerons votre configuration, et proposerons une rem\u00e9diation compl\u00e8te ou une migration automatis\u00e9e vers pfSense 2.8.0.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Chez DYB, nous d\u00e9ployons et s\u00e9curisons des infrastructures r\u00e9seau critiques pour nos clients multi-sites. Aujourd\u2019hui, nous souhaitons partager une alerte importante sur un bug structurel dans pfSense 2.7.2, affectant les tunnels IPsec VTI. \ud83e\udde0 Rappel : Pourquoi utiliser IPsec VTI ? Le mode Virtual Tunnel Interface (VTI) permet d\u2019associer un tunnel IPsec \u00e0 une vraie [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1218,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,24],"tags":[21,23,25],"class_list":["post-1216","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurite","category-reseaux","tag-cybersecurite","tag-pfsense","tag-vti"],"_links":{"self":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/1216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/comments?post=1216"}],"version-history":[{"count":0,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/1216\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/media\/1218"}],"wp:attachment":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/media?parent=1216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/categories?post=1216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/tags?post=1216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}