[strongSwan] Strongswan using VTI

Olivier PELERIN olivier_pelerin at hotmail.com
Wed Dec 17 12:08:22 CET 2014 

Dear Strongswan alias,

I'm trying a VTI config between a linux box and a cisco router. 

I've created a VTI interface on my linux

ip tunnel add vti0 mode vti local 10.1.1.1 remote 10.1.1.254 okey 32 ikey 32
 ip link set vti0 up
 ip addr add 10.0.0.1/30 remote 10.0.0.2/30 dev vti0

conn VTI
        keyexchange=ikev2
        ike=aes256-sha1-modp1024
        esp=aes256-sha1!
        leftid=10.1.1.1
        leftauth=psk
        leftsubnet=0.0.0.0/0
        rightauth=psk
        right=10.1.1.254
        rightid=10.1.1.254
        rightsubnet=0.0.0.0/0
        mark=32
        auto=route




manowar python # ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2rc1, Linux 3.18.1-gentoo, x86_64):
  uptime: 114 seconds, since Dec 17 11:53:47 2014
  malloc: sbrk 2416640, mmap 0, used 373840, free 2042800
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon ldap aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
  192.168.255.134
  10.1.1.1
  10.0.0.1
Connections:
         VTI:  %any...10.1.1.254  IKEv2
         VTI:   local:  [10.1.1.1] uses pre-shared key authentication
         VTI:   remote: [10.1.1.254] uses pre-shared key authentication
         VTI:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL
Routed Connections:
         VTI{1}:  ROUTED, TUNNEL
         VTI{1}:   0.0.0.0/0 === 0.0.0.0/0 
Security Associations (1 up, 0 connecting):
         VTI[1]: ESTABLISHED 109 seconds ago, 10.1.1.1[10.1.1.1]...10.1.1.254[10.1.1.254]
         VTI[1]: IKEv2 SPIs: e1e9a005055323ab_i* 78c7cc9d34a5886f_r, pre-shared key reauthentication in 2 hours
         VTI[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
         VTI{1}:  INSTALLED, TUNNEL, ESP SPIs: c8031e20_i 37b2a5a2_o
         VTI{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 1848 bytes_o (22 pkts, 8s ago), rekeying in 44 minutes
         VTI{1}:   0.0.0.0/0 === 0.0.0.0/0 


I do have ESP in 

manowar python #  tcpdump -nNi netio0
error : ret -1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on netio0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:07:57.840726 IP 10.1.1.1 > 10.1.1.254: ESP(spi=0x37b2a5a2,seq=0x2bf), length 132
12:07:57.841405 IP 10.1.1.254 > 10.1.1.1: ESP(spi=0xc8031e20,seq=0x2bf), length 132
12:07:58.840971 IP 10.1.1.1 > 10.1.1.254: ESP(spi=0x37b2a5a2,seq=0x2c0), length 132
12:07:58.841336 IP 10.1.1.254 > 10.1.1.1: ESP(spi=0xc8031e20,seq=0x2c0), length 132


But it seems not be decapsulated by the kernel.

Any ideas why?
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141217/ba6c72e9/attachment.html>

More information about the Users mailing list