<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Actually I just need the interfaces so
OSPF is happy.<br>
After wasting some more hours of time with VTIs, I decided to try
GRE and well... it just works. :)<br>
Though I have heard and read that GRE is considered quite a dirty
protocol.<br>
I also heard that Libreswan provides better support for VTIs than
Strongswan.<br>
But for now I am sticking with the solution I have.<br>
<br>
Thanks for the hints.<br>
Benjamin<br>
<br>
On 07/20/2017 04:08 AM, Eric Germann wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BC4D7202-2DD8-436D-84DB-F6451A804710@semperen.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
What’s your use case? Could you accomplish it with GRE tunnels as
P2P tunnels?
<div class=""><br class="">
</div>
<div class="">I run a global backbone connecting AWS regions
together for $DAYJOB. We run BGP and routing over GRE tunnels.
The GRE packets are then encrypted by Strongswan.</div>
<div class=""><br class="">
</div>
<div class="">EKG</div>
<div class=""><br class="">
<div class="">
<div>
<blockquote type="cite" class="">
<div class="">On Jul 19, 2017, at 7:21 PM, Benjamin Beier
<<a href="mailto:benjamin.beier@heliocloud.net"
class="" moz-do-not-send="true">benjamin.beier@heliocloud.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="content-type" content="text/html;
charset=utf-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""> <font
class="" size="-2"><font class="" size="-1">Hello,</font><br
class="">
<br class="">
<font class="" size="-1">I have a working IPsec
setup (IPv4 Net-Net over IPv6 Host-Host tunnel)
including a properly configured firewall.<br
class="">
Its been running fine for some month, but now I
have a new requirement that needs Virtual
Transport Interfaces (VTI) on both sides of the
tunnel.<br class="">
Sadly I am really struggling with this part,
having spend multiple days already trying to
figure out why its not working.<br class="">
<br class="">
Some useful information:<br class="">
<br class="">
* Firewall is deactivated (accepting everything)<br
class="">
* Mangle table is empty<br class="">
* StrongSwan 5.5.3<br class="">
* Linux Kernel 4.4.X<br class="">
* Using the following guide:<br class="">
<a class="moz-txt-link-freetext"
href="https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN"
moz-do-not-send="true">https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN</a><br
class="">
<br class="">
The VTI name is ipsec0 and traffic is routed to
the interface properly.<br class="">
tcpdump shows lots of packets from 10.159.5.0/24
to 10.159.6.0/24 on interface ipsec0.<br class="">
My problem is, that the </font></font><font
class="" size="-2"><font class="" size="-1"><font
class="" size="-2"><font class="" size="-1">VTI</font></font>
seems to be a <b class="">black hole</b> at the
moment.<br class="">
Packets just disappear in the tunnel interface and
the RX error counter is rising quickly:<br
class="">
</font></font><br class="">
<font class="" size="-2"><font class="" size="-1"><font
class="" size="-2"><font class="" size="-1">~ #
ip -6 -s tunnel show ipsec0<br class="">
ipsec0: ipv6/ipv6 remote ####:####:####:100::7
local ####:####:####:2405::7 encaplimit 0
hoplimit 0 tclass 0x00 flowlabel 0x00000
(flowinfo 0x00000000)<br class="">
RX: Packets Bytes <b class="">Errors</b>
CsumErrs OutOfSeq Mcasts<br class="">
0 0 <b class="">1198</b>
0 0 0 <br class="">
TX: Packets Bytes Errors DeadLoop
NoRoute NoBufs<br class="">
358 56650 0 0
0 0<br class="">
<br class="">
So far I have no idea whats going on and I
tried changing options for days, always with
the same results.<br class="">
Maybe someone is running a similar setup and
can provide some hints?<br class="">
Is there a way to find out what exactly those
errors are?<br class="">
<br class="">
Many Thanks,<br class="">
Benjamin<br class="">
<br class="">
</font></font><b class="">Configuration:</b><br
class="">
--------------------------------<br class="">
<br class="">
# <b class="">strongswan.conf</b> - strongSwan
configuration file<br class="">
<br class="">
charon {<br class="">
load_modular = yes<br class="">
<b class=""> install_routes = no</b><br
class="">
plugins {<br class="">
include strongswan.d/charon/*.conf<br
class="">
}<br class="">
}<br class="">
<br class="">
include strongswan.d/*.conf<br class="">
<br class="">
--------------------------------<br class="">
<br class="">
#<b class=""> ipsec.conf </b>- strongSwan IPsec
configuration file<br class="">
<br class="">
config setup<br class="">
<br class="">
ca heliocloud<br class="">
cacert=#######.crt<br class="">
auto=add<br class="">
<br class="">
conn %default<br class="">
ikelifetime=60m<br class="">
keylife=20m<br class="">
rekeymargin=3m<br class="">
keyingtries=%forever<br class="">
keyexchange=ikev2<br class="">
mobike=no<br class="">
compress=yes<br class="">
<br class="">
conn net-net<br class="">
also=host-host<br class="">
leftsubnet=10.159.5.0/24<br class="">
rightsubnet=10.159.6.0/24<br class="">
auto=start<br class="">
<b class=""> mark=1</b><br class="">
<br class="">
conn host-host<br class="">
left=####:####:####:100::7<br class="">
leftcert=#######.crt<br class="">
right=####:####:####:2405::7<br class="">
auto=add<br class="">
<br class="">
--------------------------------<br class="">
<br class="">
modprobe ip6_vti<br class="">
ip -6 tunnel add ipsec0 local
####:####:####:100::7 remote
####:####:####:2405::7 mode vti6 <b class="">key
1</b><br class="">
ip link set ipsec0 up<br class="">
ip route add 10.159.6.0/24 dev ipsec0<br class="">
<br class="">
--------------------------------<br class="">
<br class="">
3: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop
state DOWN group default qlen 1<br class="">
link/tunnel6 :: brd ::<br class="">
4: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc
noop state DOWN group default qlen 1<br class="">
link/tunnel6 :: brd ::<br class="">
8: ipsec0@NONE:
<POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500
qdisc noqueue state UNKNOWN group default qlen 1<br
class="">
link/tunnel6 ####:####:####:100::7 peer
####:####:####:2405::7<br class="">
inet6 fe80::2201:bff:fec8:2357/64 scope link <br
class="">
valid_lft forever preferred_lft forever<br
class="">
</font></font> </div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
<p><br>
</p>
</body>
</html>