<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi !<br>
<br>
I hate this vti stuff. Only trouble and much to complex.<br>
Try disable the policies on the vti0 interface. It's under proc/sys/class/net/..vti0/*{policies|xfrm}*<br>
<br>
Kind regards,<br>
<br>
André<br>
<br>
<div class="moz-cite-prefix">Am 18.12.2014 um 09:04 schrieb Olivier PELERIN:<br>
</div>
<blockquote cite="mid:DUB118-W29748B379C796D1759759C9B6A0@phx.gbl" type="cite"><style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr"><br>
Unfortunately that does not help. <br>
<br>
Stats are not showing any drops!<br>
<br>
manowar python # cat /sys/class/net/vti0/statistics/rx_bytes <br>
199752<br>
manowar python # ping 10.0.0.2 -I vti0<br>
PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 vti0: 56(84) bytes of data.<br>
^C<br>
--- 10.0.0.2 ping statistics ---<br>
2 packets transmitted, 0 received, 100% packet loss, time 999ms<br>
<br>
manowar python # cat /sys/class/net/vti0/statistics/rx_bytes <br>
199920<br>
<br>
All errors counters under vti0 are remaining to zero.<br>
<br>
<div>
<hr id="stopSpelling">
Date: Wed, 17 Dec 2014 08:42:26 -0500<br>
Subject: Re: [strongSwan] Strongswan using VTI<br>
From: <a class="moz-txt-link-abbreviated" href="mailto:ryan@ryanruel.com">ryan@ryanruel.com</a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:olivier_pelerin@hotmail.com">
olivier_pelerin@hotmail.com</a><br>
CC: <a class="moz-txt-link-abbreviated" href="mailto:users@lists.strongswan.org">
users@lists.strongswan.org</a><br>
<br>
<div dir="ltr">When I've seen this happen before (interface sees the traffic, ping or some other process does not), it usually means it's getting dropped by the Kernel.
<div><br>
</div>
<div>It's usually RP-filtering... you can try to turn it off:</div>
<div><br>
</div>
<div># echo 0 > /proc/sys/net/ipv4/conf/vti/rp_filter</div>
<div># echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter</div>
<div><br>
</div>
<div>I wouldn't leave if off permanently, but it might help you get further with testing where the packets are going.</div>
<div><br>
</div>
<div>/Ryan</div>
</div>
<div class="ecxgmail_extra"><br>
<div class="ecxgmail_quote">On Wed, Dec 17, 2014 at 7:15 AM, Olivier PELERIN <span dir="ltr">
<<a moz-do-not-send="true" href="mailto:olivier_pelerin@hotmail.com" target="_blank">olivier_pelerin@hotmail.com</a>></span> wrote:
<blockquote class="ecxgmail_quote" style="border-left:1px
#ccc solid;padding-left:1ex;">
<div>
<div dir="ltr">Kernel wise I'm on 3.18.1. I saw few links on the internet about this prerouting mangling rules but it's very unclear if it's needed or not. I would assume the ikey in the ip tunnel command is enough.<br>
<br>
I've modified the config by specifying the local address [ instead of using %any] now I've added left=10.1.1.1<br>
<br>
ipsec statusall<br>
Status of IKE charon daemon (strongSwan 5.2.2rc1, Linux 3.18.1-gentoo, x86_64):<br>
uptime: 2 minutes, since Dec 17 13:07:54 2014<br>
malloc: sbrk 2416640, mmap 0, used 377184, free 2039456<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2<br>
loaded plugins: charon ldap aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic<br>
Listening IP addresses:<br>
192.168.255.134<br>
10.1.1.1<br>
10.0.0.1<br>
Connections:<br>
VTI: 10.1.1.1...10.1.1.254 IKEv2<br>
VTI: local: [10.1.1.1] uses pre-shared key authentication<br>
VTI: remote: [10.1.1.254] uses pre-shared key authentication<br>
VTI: child: <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a> === <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a> TUNNEL<br>
Routed Connections:<br>
VTI{1}: ROUTED, TUNNEL<br>
VTI{1}: <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a> === <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a> <br>
Security Associations (1 up, 0 connecting):<br>
VTI[1]: ESTABLISHED 2 minutes ago, 10.1.1.1[10.1.1.1]...10.1.1.254[10.1.1.254]<br>
VTI[1]: IKEv2 SPIs: 2be274863074302d_i* 720fa6a0e8c28b09_r, pre-shared key reauthentication in 2 hours<br>
VTI[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
VTI{1}: INSTALLED, TUNNEL, ESP SPIs: c8da39c8_i 938ec319_o<br>
VTI{1}: AES_CBC_256/HMAC_SHA1_96, 12848 bytes_i (152 pkts, 23s ago), 12348 bytes_o (147 pkts, 23s ago), rekeying in 39 minutes<br>
VTI{1}: <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a> === <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a> <br>
<br>
<br>
Now I'm one step further. I see bytes_i and bytes_o increasing.<br>
<br>
running tcpdump directly on the VTI interface I see the echo-reply arriving<br>
<br>
manowar python # tcpdump -nNi vti0<br>
error : ret -1<br>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
listening on vti0, link-type RAW (Raw IP), capture size 262144 bytes<br>
13:09:37.669100 IP 10.0.0.1 > <a moz-do-not-send="true" href="http://10.0.0.2" target="_blank">
10.0.0.2</a>: ICMP echo request, id 18052, seq 4366, length 64<br>
13:09:37.669564 IP 10.0.0.2 > <a moz-do-not-send="true" href="http://10.0.0.1" target="_blank">
10.0.0.1</a>: ICMP echo reply, id 18052, seq 4366, length 64<br>
13:09:38.669208 IP 10.0.0.1 > <a moz-do-not-send="true" href="http://10.0.0.2" target="_blank">
10.0.0.2</a>: ICMP echo request, id 18052, seq 4367, length 64<br>
13:09:38.669691 IP 10.0.0.2 > <a moz-do-not-send="true" href="http://10.0.0.1" target="_blank">
10.0.0.1</a>: ICMP echo reply, id 18052, seq 4367, length 64<br>
<br>
Still traffic seems not to reach the ping process <br>
<br>
ping 10.0.0.2 -I vti0<br>
PING 10.0.0.2 (10.0.0.2) from 10.0.0.1 vti0: 56(84) bytes of data.<br>
<br>
vti0 sees the traffic but not the ping process??<br>
<br>
<br>
<br>
<br>
<br>
<div>
<hr>
Subject: Re: [strongSwan] Strongswan using VTI<br>
From: <a moz-do-not-send="true" href="mailto:ryan0751@gmail.com" target="_blank">
ryan0751@gmail.com</a><br>
Date: Wed, 17 Dec 2014 06:50:47 -0500<br>
CC: <a moz-do-not-send="true" href="mailto:users@lists.strongswan.org" target="_blank">
users@lists.strongswan.org</a><br>
To: <a moz-do-not-send="true" href="mailto:olivier_pelerin@hotmail.com" target="_blank">
olivier_pelerin@hotmail.com</a><br>
<br>
I was just trying to get this to work the other day myself and also had problems with the routing.
<div><br>
<div>It wasn’t clear to me if you still need to create the PREROUTING mangle rules. such as:</div>
<div>
<pre style="white-space:pre-wrap;background-color:rgb(255,255,255);"># mangle PREROUTING rules:
iptables -t mangle -A PREROUTING -s <a moz-do-not-send="true" href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a> -d <a moz-do-not-send="true" href="http://192.168.11.0/24" target="_blank">192.168.11.0/24</a>
-j MARK --set-mark 32
iptables -t mangle -A PREROUTING -p esp -s 10.1.3.2 -d 10.1.1.2 -j MARK
--set-mark 32</pre>
<div>From what I had read the Kernel might have been patched to no longer require this? </div>
</div>
<div><br>
</div>
<div>Have you checked the SA stats on the Linux box (setkey -D or using the ip xfrm command) to see if the packets are matching the SA and are being decrypted?</div>
<div><br>
</div>
<div>/Ryan</div>
<div><br>
<div>
<blockquote>
<div>On Dec 17, 2014, at 6:08 AM, Olivier PELERIN <<a moz-do-not-send="true" href="mailto:olivier_pelerin@hotmail.com" target="_blank">olivier_pelerin@hotmail.com</a>> wrote:</div>
<br>
<div>
<div dir="ltr" style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;">
Dear Strongswan alias,<br>
<br>
I'm trying a VTI config between a linux box and a cisco router.<span> </span><br>
<br>
I've created a VTI interface on my linux<br>
<br>
ip tunnel add vti0 mode vti local 10.1.1.1 remote 10.1.1.254 okey 32 ikey 32<br>
ip link set vti0 up<br>
ip addr add <a moz-do-not-send="true" href="http://10.0.0.1/30" target="_blank">
10.0.0.1/30</a> remote <a moz-do-not-send="true" href="http://10.0.0.2/30" target="_blank">
10.0.0.2/30</a> dev vti0<br>
<br>
conn VTI<br>
keyexchange=ikev2<br>
ike=aes256-sha1-modp1024<br>
esp=aes256-sha1!<br>
leftid=10.1.1.1<br>
leftauth=psk<br>
leftsubnet=<a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
rightauth=psk<br>
right=10.1.1.254<br>
rightid=10.1.1.254<br>
rightsubnet=<a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
mark=32<br>
auto=route<br>
<br>
<br>
<br>
<br>
manowar python # ipsec statusall<br>
Status of IKE charon daemon (strongSwan 5.2.2rc1, Linux 3.18.1-gentoo, x86_64):<br>
uptime: 114 seconds, since Dec 17 11:53:47 2014<br>
malloc: sbrk 2416640, mmap 0, used 373840, free 2042800<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2<br>
loaded plugins: charon ldap aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic<br>
Listening IP addresses:<br>
192.168.255.134<br>
10.1.1.1<br>
10.0.0.1<br>
Connections:<br>
VTI: %any...10.1.1.254 IKEv2<br>
VTI: local: [10.1.1.1] uses pre-shared key authentication<br>
VTI: remote: [10.1.1.254] uses pre-shared key authentication<br>
VTI: child: <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a> === <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a> TUNNEL<br>
Routed Connections:<br>
VTI{1}: ROUTED, TUNNEL<br>
VTI{1}: <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a> === <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a><span> </span><br>
Security Associations (1 up, 0 connecting):<br>
VTI[1]: ESTABLISHED 109 seconds ago, 10.1.1.1[10.1.1.1]...10.1.1.254[10.1.1.254]<br>
VTI[1]: IKEv2 SPIs: e1e9a005055323ab_i* 78c7cc9d34a5886f_r, pre-shared key reauthentication in 2 hours<br>
VTI[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
VTI{1}: INSTALLED, TUNNEL, ESP SPIs: c8031e20_i 37b2a5a2_o<br>
VTI{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 1848 bytes_o (22 pkts, 8s ago), rekeying in 44 minutes<br>
VTI{1}: <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a> === <a moz-do-not-send="true" href="http://0.0.0.0/0" target="_blank">
0.0.0.0/0</a><span> </span><br>
<br>
<br>
I do have ESP in<span> </span><br>
<br>
manowar python # tcpdump -nNi netio0<br>
error : ret -1<br>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
listening on netio0, link-type EN10MB (Ethernet), capture size 262144 bytes<br>
12:07:57.840726 IP 10.1.1.1 > <a moz-do-not-send="true" href="http://10.1.1.254" target="_blank">
10.1.1.254</a>: ESP(spi=0x37b2a5a2,seq=0x2bf), length 132<br>
12:07:57.841405 IP 10.1.1.254 > <a moz-do-not-send="true" href="http://10.1.1.1" target="_blank">
10.1.1.1</a>: ESP(spi=0xc8031e20,seq=0x2bf), length 132<br>
12:07:58.840971 IP 10.1.1.1 > <a moz-do-not-send="true" href="http://10.1.1.254" target="_blank">
10.1.1.254</a>: ESP(spi=0x37b2a5a2,seq=0x2c0), length 132<br>
12:07:58.841336 IP 10.1.1.254 > <a moz-do-not-send="true" href="http://10.1.1.1" target="_blank">
10.1.1.1</a>: ESP(spi=0xc8031e20,seq=0x2c0), length 132<br>
<br>
<br>
But it seems not be decapsulated by the kernel.<br>
<br>
Any ideas why?<br>
</div>
<span style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline
!important;">_______________________________________________</span><br style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;">
<span style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline
!important;">Users
mailing list</span><br style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;">
<a moz-do-not-send="true" href="mailto:Users@lists.strongswan.org" style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;" target="_blank">Users@lists.strongswan.org</a><br style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;">
<a moz-do-not-send="true" href="https://lists.strongswan.org/mailman/listinfo/users" style="font-family:Calibri;font-size:16px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Users mailing list<br>
<a moz-do-not-send="true" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a moz-do-not-send="true" href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
</blockquote>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="65535">Mit freundlichen Grüßen
André Valentin
Systemadministration / Projektkoordination
--
MarcanT GmbH, Ravensberger Str. 10 G, D - 33602 Bielefeld
Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18
URL: <a class="moz-txt-link-freetext" href="http://www.marcant.net">http://www.marcant.net</a> | <a class="moz-txt-link-freetext" href="http://www.global-m2m.com">http://www.global-m2m.com</a>
Internet * Netzwerk * Mobile Daten
Citrix Silver Solution Advisor
Geschäftsführer: Thorsten Hojas
Handelsregister: AG Bielefeld, HRB 35827 USt-ID Nr.: DE 190203238
_____________________________________________________________________
Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr
bis 17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir
Ihnen gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen
mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung.
Sie können natürlich auch gerne jederzeit unter <a class="moz-txt-link-abbreviated" href="mailto:support@marcant.net">support@marcant.net</a>
ein Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird.
</pre>
<br>
<br>
Mit freundlichen Grüßen<br>
André Valentin<br>
Systemadministrator<br>
-- <br>
MarcanT GmbH, Ravensberger Str. 10 G, D - 33602 Bielefeld<br>
Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18<br>
URL: http://www.marcant.net | http://www.global-m2m.com<br>
<br>
Internet * Netzwerk * Mobile Daten<br>
Citrix Silver Solution Advisor<br>
<br>
Geschäftsführer: Thorsten Hojas<br>
Handelsregister: AG Bielefeld, HRB 35827 USt-ID Nr.: DE 190203238<br>
___________________________________________________________<br>
Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis<br>
17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen<br>
gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen<br>
mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung.<br>
Sie können natürlich auch gerne jederzeit unter support@marcant.net ein<br>
Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird.<br>
</body>
</html>