<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p>not too elegant, but working solution is to create different
configs per connection (with dedicated if_id_in/out) and
dynamically create xfrm interface (using updown and PLUTO_IF_ID*).
In this way it's possible to set remote_ts = 0.0.0.0/0 and be
happy with routing protocols. But there is another issue (please,
see my next message to the list) and if anybody can suggest more
elegant way to the topic - I will appreciate.<br>
</p>
<p>Thank you.<br>
</p>
<div class="moz-cite-prefix">On 17.09.2020 18:50, Volodymyr Litovka
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:4246de23-0803-7500-596c-813dc73fe832@gmx.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hi colleagues,</p>
<p>I'm using XFRM on SSwan side in shared mode for multiple
clients (using same if_id):</p>
<pre>3: xfrm0@lo: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.167.1/24 brd 192.168.167.255 scope global xfrm0
valid_lft forever preferred_lft forever</pre>
<p>like this:</p>
<pre> xfrm (if_id=9, x.x.x.1/24)
------------------------------------------
| | |
client1 client2 ... clientN
(x.x.x.2/24) (x.x.x.3/24) ... (x.x.x.N/24)
</pre>
<p>having, e.g. the following SA:</p>
<pre>ikev2-eap: #41, ESTABLISHED, IKEv2, 36739cd0b0eab71f_i 57d9f123408cdea5_r*
local 'local_id' @ local_ip[4500]
remote 'remote_id' @ remote_ip[4500] EAP: 'remote_eap_id' [192.168.167.2]
AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
established 1547s ago, rekeying in 8357s
eap-child: #37, reqid 31, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
[ ... ]
<b>local 0.0.0.0/0</b>
<b>remote 192.168.167.2/32</b></pre>
<p>according to the configuration:</p>
<pre>connections {
ikev2-eap {
pools = radius
remote {
auth = eap-radius
id = %any
eap_id = %any
}
children {
eap-child {
local_ts = 0.0.0.0/0
remote_ts = dynamic
mode = tunnel
}
}
}
}
</pre>
<p>wiki's RouteBasedVPN says the following: "After creating the
device it has to be enabled and then routes may be installed
(routing protocols may also be used)." and I tried to implement
dynamic routing to route between remote LANs, receiving
additional subnets over BGP between peers (e.g. x.x.x.1
<-> x.x.x.2):</p>
<pre>server# ip route
[ ... ]
<b>5.6.7.0/24</b> nhid 20 via 192.168.167.2 dev xfrm0 <b>proto bgp</b> metric 20
</pre>
<p> </p>
<p>but, actually, I can not access remote BGP-learned LAN:</p>
<pre>server# ping 5.6.7.1 -I 192.168.167.1
PING 5.6.7.1 (5.6.7.1) from 192.168.167.1 : 56(84) bytes of data.
From 192.168.167.1 icmp_seq=1 Destination Host Unreachable
From 192.168.167.1 icmp_seq=2 Destination Host Unreachable
^C
</pre>
<p>On the other hand, the wiki says (for VTI mode, though, while
I'm using XFRM) such issue happens due to the fact that these
networks aren't mentioned in traffic selector thus there is no
matching policy and traffic is rejected: "only traffic that
matches these traffic selectors will then actually be forwarded,
other packets routed to the VTI device will be rejected with an
ICMP error message (destination unreachable/destination host
unreachable)."<br>
</p>
<p>So, the question - what I'm doing wrong? Are there ways to use
dynamic routing with shared XFRM device?<br>
</p>
<p>Note: remote peers can be behind the same NAT, so having same
external IP address.<br>
</p>
<p>Thank you.<br>
</p>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>