<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I was just trying to get this to work the other day myself and also had problems with the routing.<div class=""><br class=""><div class="">It wasn’t clear to me if you still need to create the PREROUTING mangle rules. such as:</div><div class=""><pre style="white-space: pre-wrap; background-color: rgb(255, 255, 255);" class=""># mangle PREROUTING rules:
iptables -t mangle -A PREROUTING -s 192.168.10.0/24 -d 192.168.11.0/24
-j MARK --set-mark 32
iptables -t mangle -A PREROUTING -p esp -s 10.1.3.2 -d 10.1.1.2 -j MARK
--set-mark 32</pre><div class="">From what I had read the Kernel might have been patched to no longer require this? </div></div><div class=""><br class=""></div><div class="">Have you checked the SA stats on the Linux box (setkey -D or using the ip xfrm command) to see if the packets are matching the SA and are being decrypted?</div><div class=""><br class=""></div><div class="">/Ryan</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Dec 17, 2014, at 6:08 AM, Olivier PELERIN <<a href="mailto:olivier_pelerin@hotmail.com" class="">olivier_pelerin@hotmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" style="font-family: Calibri; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Dear Strongswan alias,<br class=""><br class="">I'm trying a VTI config between a linux box and a cisco router.<span class="Apple-converted-space"> </span><br class=""><br class="">I've created a VTI interface on my linux<br class=""><br class="">ip tunnel add vti0 mode vti local 10.1.1.1 remote 10.1.1.254 okey 32 ikey 32<br class=""> ip link set vti0 up<br class=""> ip addr add 10.0.0.1/30 remote 10.0.0.2/30 dev vti0<br class=""><br class="">conn VTI<br class=""> keyexchange=ikev2<br class=""> ike=aes256-sha1-modp1024<br class=""> esp=aes256-sha1!<br class=""> leftid=10.1.1.1<br class=""> leftauth=psk<br class=""> leftsubnet=0.0.0.0/0<br class=""> rightauth=psk<br class=""> right=10.1.1.254<br class=""> rightid=10.1.1.254<br class=""> rightsubnet=0.0.0.0/0<br class=""> mark=32<br class=""> auto=route<br class=""><br class=""><br class=""><br class=""><br class="">manowar python # ipsec statusall<br class="">Status of IKE charon daemon (strongSwan 5.2.2rc1, Linux 3.18.1-gentoo, x86_64):<br class=""> uptime: 114 seconds, since Dec 17 11:53:47 2014<br class=""> malloc: sbrk 2416640, mmap 0, used 373840, free 2042800<br class=""> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2<br class=""> loaded plugins: charon ldap aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic<br class="">Listening IP addresses:<br class=""> 192.168.255.134<br class=""> 10.1.1.1<br class=""> 10.0.0.1<br class="">Connections:<br class=""> VTI: %any...10.1.1.254 IKEv2<br class=""> VTI: local: [10.1.1.1] uses pre-shared key authentication<br class=""> VTI: remote: [10.1.1.254] uses pre-shared key authentication<br class=""> VTI: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL<br class="">Routed Connections:<br class=""> VTI{1}: ROUTED, TUNNEL<br class=""> VTI{1}: 0.0.0.0/0 === 0.0.0.0/0<span class="Apple-converted-space"> </span><br class="">Security Associations (1 up, 0 connecting):<br class=""> VTI[1]: ESTABLISHED 109 seconds ago, 10.1.1.1[10.1.1.1]...10.1.1.254[10.1.1.254]<br class=""> VTI[1]: IKEv2 SPIs: e1e9a005055323ab_i* 78c7cc9d34a5886f_r, pre-shared key reauthentication in 2 hours<br class=""> VTI[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br class=""> VTI{1}: INSTALLED, TUNNEL, ESP SPIs: c8031e20_i 37b2a5a2_o<br class=""> VTI{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 1848 bytes_o (22 pkts, 8s ago), rekeying in 44 minutes<br class=""> VTI{1}: 0.0.0.0/0 === 0.0.0.0/0<span class="Apple-converted-space"> </span><br class=""><br class=""><br class="">I do have ESP in<span class="Apple-converted-space"> </span><br class=""><br class="">manowar python # tcpdump -nNi netio0<br class="">error : ret -1<br class="">tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br class="">listening on netio0, link-type EN10MB (Ethernet), capture size 262144 bytes<br class="">12:07:57.840726 IP 10.1.1.1 > 10.1.1.254: ESP(spi=0x37b2a5a2,seq=0x2bf), length 132<br class="">12:07:57.841405 IP 10.1.1.254 > 10.1.1.1: ESP(spi=0xc8031e20,seq=0x2bf), length 132<br class="">12:07:58.840971 IP 10.1.1.1 > 10.1.1.254: ESP(spi=0x37b2a5a2,seq=0x2c0), length 132<br class="">12:07:58.841336 IP 10.1.1.254 > 10.1.1.1: ESP(spi=0xc8031e20,seq=0x2c0), length 132<br class=""><br class=""><br class="">But it seems not be decapsulated by the kernel.<br class=""><br class="">Any ideas why?<br class=""></div><span style="font-family: Calibri; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Calibri; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Calibri; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Users mailing list</span><br style="font-family: Calibri; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:Users@lists.strongswan.org" style="font-family: Calibri; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Users@lists.strongswan.org</a><br style="font-family: Calibri; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="https://lists.strongswan.org/mailman/listinfo/users" style="font-family: Calibri; font-size: 16px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">https://lists.strongswan.org/mailman/listinfo/users</a></div></blockquote></div><br class=""></div></div></body></html>