VPN: IPsec - VTI, add a warning about dynamic ip addresses. We currently don't exepect them as input, nor should we probably due to the validations in if_ipsec

2026-06-08 16:12:04 -04:00 · 2022-12-23 16:19:28 +01:00 · 2022-12-23 16:19:28 +01:00 · 4f62577488
commit 4f62577488
parent 4aee329fa8
1 changed files with 7 additions and 0 deletions
--- a/source/manual/vpnet.rst
+++ b/source/manual/vpnet.rst
@ -168,6 +168,13 @@ The advantage of this type of setup is one can use standard or advanced routing

    Currently it does not seem to be possible to add NAT rules for :code:`if_ipsec(4)` devices.

+.. Warning::
+
+    In order to reliably setup a VTI tunnel, both ends should use static ip addresses. Although in the legacy configuration it
+    was possible to resolve hostnames, this will never lead to a stable configuration as the :code:`if_ipsec(4)` device
+    matches both source and destination `[#] <https://github.com/freebsd/freebsd-src/blob/c8ee75f2315e8267ad814dc5b4645ef205f0e0e1/sys/net/if_ipsec.c#L479>`__
+    before accepting the traffic and has no knowledge about any external changes.
+
 .................................
 Road Warriors / Mobile users
 .................................