<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Dear Strongswan alias,<br><br>I'm trying a VTI config between a linux box and a cisco router. <br><br>I've created a VTI interface on my linux<br><br>ip tunnel add vti0 mode vti local 10.1.1.1 remote 10.1.1.254 okey 32 ikey 32<br> ip link set vti0 up<br> ip addr add 10.0.0.1/30 remote 10.0.0.2/30 dev vti0<br><br>conn VTI<br> keyexchange=ikev2<br> ike=aes256-sha1-modp1024<br> esp=aes256-sha1!<br> leftid=10.1.1.1<br> leftauth=psk<br> leftsubnet=0.0.0.0/0<br> rightauth=psk<br> right=10.1.1.254<br> rightid=10.1.1.254<br> rightsubnet=0.0.0.0/0<br> mark=32<br> auto=route<br><br><br><br><br>manowar python # ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.2.2rc1, Linux 3.18.1-gentoo, x86_64):<br> uptime: 114 seconds, since Dec 17 11:53:47 2014<br> malloc: sbrk 2416640, mmap 0, used 373840, free 2042800<br> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2<br> loaded plugins: charon ldap aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic<br>Listening IP addresses:<br> 192.168.255.134<br> 10.1.1.1<br> 10.0.0.1<br>Connections:<br> VTI: %any...10.1.1.254 IKEv2<br> VTI: local: [10.1.1.1] uses pre-shared key authentication<br> VTI: remote: [10.1.1.254] uses pre-shared key authentication<br> VTI: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL<br>Routed Connections:<br> VTI{1}: ROUTED, TUNNEL<br> VTI{1}: 0.0.0.0/0 === 0.0.0.0/0 <br>Security Associations (1 up, 0 connecting):<br> VTI[1]: ESTABLISHED 109 seconds ago, 10.1.1.1[10.1.1.1]...10.1.1.254[10.1.1.254]<br> VTI[1]: IKEv2 SPIs: e1e9a005055323ab_i* 78c7cc9d34a5886f_r, pre-shared key reauthentication in 2 hours<br> VTI[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br> VTI{1}: INSTALLED, TUNNEL, ESP SPIs: c8031e20_i 37b2a5a2_o<br> VTI{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 1848 bytes_o (22 pkts, 8s ago), rekeying in 44 minutes<br> VTI{1}: 0.0.0.0/0 === 0.0.0.0/0 <br><br><br>I do have ESP in <br><br>manowar python # tcpdump -nNi netio0<br>error : ret -1<br>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>listening on netio0, link-type EN10MB (Ethernet), capture size 262144 bytes<br>12:07:57.840726 IP 10.1.1.1 > 10.1.1.254: ESP(spi=0x37b2a5a2,seq=0x2bf), length 132<br>12:07:57.841405 IP 10.1.1.254 > 10.1.1.1: ESP(spi=0xc8031e20,seq=0x2bf), length 132<br>12:07:58.840971 IP 10.1.1.1 > 10.1.1.254: ESP(spi=0x37b2a5a2,seq=0x2c0), length 132<br>12:07:58.841336 IP 10.1.1.254 > 10.1.1.1: ESP(spi=0xc8031e20,seq=0x2c0), length 132<br><br><br>But it seems not be decapsulated by the kernel.<br><br>Any ideas why?<br> </div></body>
</html>