<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Console";
panose-1:2 11 6 9 4 5 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>Sorry to bring this topic up again, but here it goes…<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>Alright, there seems to be issues with strongSwan 5.2 on the way how it sets up a Cisco VTI tunnel. I was able to get a working VTI tunnel established between 2 VyOS 1.1 machines that has strongSwan 4.5.2 bundled. The kernel version used in VyOS 1.1 is the 3.13 series.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>The following is the relevant ipsec.conf section VyOS 1.1 generates with the 4.5.2 stack:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>conn peer-192.168.14.2-tunnel-vti<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> left=192.168.14.1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> right=192.168.14.2<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> leftsubnet=0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> rightsubnet=0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> ike=aes128-sha1-modp1024!<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> keyexchange=ikev1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> ikelifetime=28800s<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> esp=aes256-sha1!<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> keylife=3600s<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> rekeymargin=540s<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> type=tunnel<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> pfs=yes<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> pfsgroup=modp1024<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> compress=no<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> authby=secret<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> mark=9437185<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> leftupdown="/usr/lib/ipsec/vti-up-down vti0"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> auto=start<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> keyingtries=%forever<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>The following is the output from the ip xfrm policy command:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> dir out priority 2051 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> mark 9437185/0xffffffff<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> tmpl src 192.168.14.1 dst 192.168.14.2<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> proto esp reqid 16388 mode tunnel<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> dir fwd priority 2051 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> mark 9437185/0xffffffff<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> tmpl src 192.168.14.2 dst 192.168.14.1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> proto esp reqid 16388 mode tunnel<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> dir in priority 2051 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> mark 9437185/0xffffffff<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> tmpl src 192.168.14.2 dst 192.168.14.1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> proto esp reqid 16388 mode tunnel<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>The VTI tunnel was brought up by this command:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>/sbin/ip link add $tunName type vti local $lip remote $peer okey $genmark<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>Where $tunName is vti0, $lip (192.168.14.1) is the host’s local IP and $peer (192.168.14.2) is the Remote peer’s address and $genmark (9437185) is the xfrm policy mark.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>In the case outlined above, both ends can ping each other with the IP addresses assigned inside the VTI tunnel. Everything else works just fine.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>However once we switch gears to a build of VyOS that is strongSwan 5.x aware, the configuration as follows breaks. What’s worse is both ends can’t ping anything other than the two peer’s addresses that are not specified inside the VTI tunnel. In both ends ring returns with a TTL exceeded in transit error.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>The following is the relevant ipsec.conf section for the strongSwan 5.2.2 IPsec stac:<br><br><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>conn peer-192.168.14.2-tunnel-vti<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> left=192.168.14.1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> right=192.168.14.2<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> leftsubnet=0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> rightsubnet=0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> ike=aes128-sha1-modp1024!<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> keyexchange=ikev1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> ikelifetime=28800s<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> esp=aes256-sha1,modp1024!<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> keylife=3600s<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> rekeymargin=540s<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> type=tunnel<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> compress=no<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> authby=secret<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> mark=9437185<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> leftupdown="/usr/lib/ipsec/vti-up-down vti0"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> auto=start<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> keyingtries=%forever<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>ip xfrm policy output of the machine with the 5.2.2 stack:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> dir fwd priority 3075 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> mark 9437185/0xffffffff<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> tmpl src 192.168.14.2 dst 192.168.14.1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> proto esp reqid 4 mode tunnel<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> dir in priority 3075 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> mark 9437185/0xffffffff<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> tmpl src 192.168.14.2 dst 192.168.14.1<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> proto esp reqid 4 mode tunnel<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> dir out priority 3075 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> mark 9437185/0xffffffff<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> tmpl src 192.168.14.1 dst 192.168.14.2<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> proto esp reqid 4 mode tunnel<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src 0.0.0.0/0 dst 0.0.0.0/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket in priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>src ::/0 dst ::/0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'> socket out priority 0 ptype main<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Lucida Console"'>One thing to note in particular in both cases – VyOS does not delete the default route in table 220 as generated by strongSwan. I suspect for some reason the way how the VTI tunnels are configured is causing the network stack not to redirect marked packets to the VTI tunnel interface.<br><br>If additional information is needed, please feel free to reply to this thread and ask for the missing information. I would be glad to provide you the missing information since strongSwan 5.2.2 may eventually end up in VyOS 1.3 or EdgeOS 1.8 releases. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> users-bounces@lists.strongswan.org [mailto:users-bounces@lists.strongswan.org] <b>On Behalf Of </b>Olivier PELERIN<br><b>Sent:</b> Wednesday, February 25, 2015 05:36<br><b>To:</b> André Valentin; users@lists.strongswan.org<br><b>Subject:</b> Re: [strongSwan] Strongswan using VTI - got it working!<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Calibri","sans-serif"'>Hello,<br><br>Apologize for the huge delay but I had many things going on. I will try to restart my environment in a few days. I will paste the Cisco config + the Strongswan side. I'm sure it can be useful for someone.<br><br>Regards<o:p></o:p></span></p><div><div class=MsoNormal align=center style='text-align:center'><span style='font-family:"Calibri","sans-serif"'><hr size=2 width="100%" align=center id=stopSpelling></span></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Calibri","sans-serif"'>Date: Fri, 19 Dec 2014 15:37:32 +0100<br>From: <a href="mailto:avalentin@marcant.net">avalentin@marcant.net</a><br>To: <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>Subject: Re: [strongSwan] Strongswan using VTI - got it working!<br><br>Hi!<br><br>It would be wonderful if you could document your setup in an email to the list, inluding kernel version. I would even create an Wiki Article for it, if it's allowed.<br><br>Kind regards,<br><br>André<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Am 19.12.2014 um 15:11 schrieb Olivier PELERIN:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Calibri","sans-serif"'>Thanks Martin!<br><br>Quick question, If I understand you well, it's a global setting. <br>Are you planning to add a knob under the conn itself? It would be nice to be able to control it per conn.<br><br>Regards,<br><br>Olivier<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>> Subject: Re: [strongSwan] Strongswan using VTI - got it working!<br>> From: <a href="mailto:martin@strongswan.org">martin@strongswan.org</a><br>> To: <a href="mailto:olivier_pelerin@hotmail.com">olivier_pelerin@hotmail.com</a><br>> CC: <a href="mailto:schwarz@gaertner.de">schwarz@gaertner.de</a>; <a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>; <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>> Date: Fri, 19 Dec 2014 15:07:09 +0100<br>> <br>> <br>> > Question: what is the use of that table 220? Do we have a CLI to avoid<br>> > Strongswan installing that route? It's not necessary in case of VTI.<br>> <br>> strongSwan installs routes for negotiated policies to a dedicated<br>> routing table mainly for two reasons:<br>> * Avoid any conflicts with the main routing table, for example<br>> with the default route<br>> * Ignore routes from this table when doing route lookups for IKE<br>> traffic; IKE packets should always bypass the tunnel.<br>> <br>> To disable automatic route installation, set the install_routes option<br>> to no in the strongswan.conf "charon" section. The routing_table and<br>> routing_table_prio options allow you to customize installation of<br>> routes.<br>> <br>> Regards<br>> Martin<br>> <o:p></o:p></span></p></div></div><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><br><br><o:p></o:p></span></p><pre>_______________________________________________<o:p></o:p></pre><pre>Users mailing list<o:p></o:p></pre><pre><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><o:p></o:p></pre><pre><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><o:p></o:p></pre></blockquote><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'><br><br>Mit freundlichen Grüßen<br>André Valentin<br>Systemadministrator<br>-- <br>MarcanT GmbH, Ravensberger Str. 10 G, D - 33602 Bielefeld<br>Fon: +49 (521) 95945-0 | Fax: +49 (521) 95945-18<br>URL: <a href="http://www.marcant.net">http://www.marcant.net</a> | <a href="http://www.global-m2m.com">http://www.global-m2m.com</a><br><br>Internet * Netzwerk * Mobile Daten<br>Citrix Silver Solution Advisor<br><br>Geschäftsführer: Thorsten Hojas<br>Handelsregister: AG Bielefeld, HRB 35827 USt-ID Nr.: DE 190203238<br>___________________________________________________________<br>Ausserhalb unserer Geschäftszeiten (Montag bis Freitag von 8:30 Uhr bis<br>17:30 Uhr, ausgenommen gesetzliche Feiertage in NRW) stehen wir Ihnen<br>gemäß Ihrer jeweiligen Service-Level-Agreements unter der Ihnen<br>mitgeteilten Telefonnummer für Störungen und Notfälle zur Verfügung.<br>Sie können natürlich auch gerne jederzeit unter <a href="mailto:support@marcant.net">support@marcant.net</a> ein<br>Ticket eröffnen, welches am nächsten Arbeitstag bearbeitet wird.<br><br>_______________________________________________ Users mailing list <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><o:p></o:p></span></p></div></div></div></div></body></html>