<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font size="-2"><font size="-1">Hello,</font><br>
<br>
<font size="-1">I have a working IPsec setup (IPv4 Net-Net over
IPv6 Host-Host tunnel) including a properly configured firewall.<br>
Its been running fine for some month, but now I have a new
requirement that needs Virtual Transport Interfaces (VTI) on
both sides of the tunnel.<br>
Sadly I am really struggling with this part, having spend
multiple days already trying to figure out why its not working.<br>
<br>
Some useful information:<br>
<br>
* Firewall is deactivated (accepting everything)<br>
* Mangle table is empty<br>
* StrongSwan 5.5.3<br>
* Linux Kernel 4.4.X<br>
* Using the following guide:<br>
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN">https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN</a><br>
<br>
The VTI name is ipsec0 and traffic is routed to the interface
properly.<br>
tcpdump shows lots of packets from 10.159.5.0/24 to
10.159.6.0/24 on interface ipsec0.<br>
My problem is, that the </font></font><font size="-2"><font
size="-1"><font size="-2"><font size="-1">VTI</font></font>
seems to be a <b>black hole</b> at the moment.<br>
Packets just disappear in the tunnel interface and the RX error
counter is rising quickly:<br>
</font></font><br>
<font size="-2"><font size="-1"><font size="-2"><font size="-1">~ #
ip -6 -s tunnel show ipsec0<br>
ipsec0: ipv6/ipv6 remote ####:####:####:100::7 local
####:####:####:2405::7 encaplimit 0 hoplimit 0 tclass 0x00
flowlabel 0x00000 (flowinfo 0x00000000)<br>
RX: Packets Bytes <b>Errors</b> CsumErrs OutOfSeq
Mcasts<br>
0 0 <b>1198</b> 0
0 0 <br>
TX: Packets Bytes Errors DeadLoop NoRoute NoBufs<br>
358 56650 0 0 0 0<br>
<br>
So far I have no idea whats going on and I tried changing
options for days, always with the same results.<br>
Maybe someone is running a similar setup and can provide
some hints?<br>
Is there a way to find out what exactly those errors are?<br>
<br>
Many Thanks,<br>
Benjamin<br>
<br>
</font></font><b>Configuration:</b><br>
--------------------------------<br>
<br>
# <b>strongswan.conf</b> - strongSwan configuration file<br>
<br>
charon {<br>
load_modular = yes<br>
<b> install_routes = no</b><br>
plugins {<br>
include strongswan.d/charon/*.conf<br>
}<br>
}<br>
<br>
include strongswan.d/*.conf<br>
<br>
--------------------------------<br>
<br>
#<b> ipsec.conf </b>- strongSwan IPsec configuration file<br>
<br>
config setup<br>
<br>
ca heliocloud<br>
cacert=#######.crt<br>
auto=add<br>
<br>
conn %default<br>
ikelifetime=60m<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=%forever<br>
keyexchange=ikev2<br>
mobike=no<br>
compress=yes<br>
<br>
conn net-net<br>
also=host-host<br>
leftsubnet=10.159.5.0/24<br>
rightsubnet=10.159.6.0/24<br>
auto=start<br>
<b> mark=1</b><br>
<br>
conn host-host<br>
left=####:####:####:100::7<br>
leftcert=#######.crt<br>
right=####:####:####:2405::7<br>
auto=add<br>
<br>
--------------------------------<br>
<br>
modprobe ip6_vti<br>
ip -6 tunnel add ipsec0 local ####:####:####:100::7 remote
####:####:####:2405::7 mode vti6 <b>key 1</b><br>
ip link set ipsec0 up<br>
ip route add 10.159.6.0/24 dev ipsec0<br>
<br>
--------------------------------<br>
<br>
3: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN
group default qlen 1<br>
link/tunnel6 :: brd ::<br>
4: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN
group default qlen 1<br>
link/tunnel6 :: brd ::<br>
8: ipsec0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500
qdisc noqueue state UNKNOWN group default qlen 1<br>
link/tunnel6 ####:####:####:100::7 peer
####:####:####:2405::7<br>
inet6 fe80::2201:bff:fec8:2357/64 scope link <br>
valid_lft forever preferred_lft forever<br>
</font></font>
</body>
</html>