<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Ben,</p>
<p>take a look into
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN">https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN</a></p>
<p>it seems you have a mesh in the configuration - your stronSwan's
configuration is completely policy-based, while you think you use
VTIs and routing.<br>
</p>
<div class="moz-cite-prefix">On 18.02.2021 03:00, Ben Tullis wrote:<br>
</div>
<blockquote type="cite"
cite="mid:597ce8c3-7aa1-1aa2-5f9f-8143fcb3cbd7@opencorporates.com">Hello,
<br>
<br>
I wonder if anyone might be able to help me work out what I'm
doing wrong please. I've been struggling with it for days on end.
<br>
<br>
Primarily I'm trying to follow this tutorial:
<a class="moz-txt-link-freetext" href="https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan">https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan</a><br>
<br>
...to set up a tunnel mode IPSec connection between on-premise
strongSwan on Debian 9 and Google Cloud Project VPN gateway, using
bird for routing.
<br>
<br>
The topology is broadly as follows:
<br>
<br>
<br>
+----------------------------------------------+
<br>
| |
<br>
eth0 | 94.190.242.6 |
35.242.22.169
<br>
+------+-------------+
+------+--------------+
<br>
| vti0:169.254.1.2 | | router:
169.254.1.1 |
<br>
| |
| |
<br>
| |
| |
<br>
| strongSwan 5.5 | | Google Cloud
HA VPN |
<br>
| on Debian 9 |
| |
<br>
| |
| |
<br>
+------+-------------+
+------+--------------+
<br>
bond0 | 10.43.0.1 |
<br>
| |
<br>
| |
<br>
+ +
<br>
10.43.0.0/16 10.44.0.0/16
<br>
<br>
The server on the left is the default gateway for the 10.43.0.0/16
network behind it. Only traffic for 10.44.0.0/16 should go over
the tunnel.
<br>
<br>
In the tutorial a /30 subnet is used for the BGP traffic and I
have used 169.254.1.1 for the cloud router, with 169.254.1.2 for
the Linux vti0 interface.
<br>
<br>
My SA appears to be created correctly. 'ipsec statusall' output is
pasted below.
<br>
<br>
The xfrm policy looks to be OK to me too. 'ip xfrm policy' output
is pasted below.
<br>
<br>
When I use tcpdump on the vti0 interface I can see BGP traffic,
but when I look at 'ip -s tunnel show' I can see that all TX
packets are generating errors with a 'NoRoute' status. Like
this...
<br>
<br>
<blockquote type="cite">root@gw1:~# ip -s tunnel show
<br>
ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0
<br>
RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
<br>
0 0 0 0 0 0 TX:
Packets Bytes Errors DeadLoop NoRoute NoBufs
<br>
0 0 0 0 0 0 vti0:
ip/ip remote 35.242.22.169 local 94.190.242.6 ttl inherit
nopmtudisc key 1
<br>
RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
<br>
2761 165660 0 0 0 0 TX:
Packets Bytes Errors DeadLoop NoRoute NoBufs
<br>
0 0 2880 0 2880 0 </blockquote>
<br>
I've tried making sure that I'm only using a single routing table.
<br>
<br>
I've tried disabling the firewall and setting all iptables
policies to ACCEPT.
<br>
<br>
I've tried setting left|rightsubnet to 0.0.0.0/0 instead of the
10.43.0.0/16 and 10.44.0.0/16 values.
<br>
<br>
The following are all set by the leftupdownscript:
<br>
<br>
<blockquote type="cite">net.ipv4.conf.eth0.disable_xfrm = 1
<br>
net.ipv4.conf.eth0.disable_policy = 1
<br>
net.ipv4.conf.vti0.disable_xfrm = 1
<br>
net.ipv4.conf.vti0.disable_policy = 1
<br>
net.ipv4.ip_forward = 1
<br>
</blockquote>
<br>
I've tried changing the script so that it disabled the policy and
xfrm on bond0 (the lan interface) rather than eth0 (the wan
interface) but it hasn't made any difference to this issue. I
still see the NoRoute errors. it chooses eth0 because it is the
$PLUTO_INTERFACE variable, but I wasn't certain which it should
be.
<br>
<br>
If anyone has any insight into how I can make this work, I'd be
very grateful. I've poseted as much debug info below as I can
think of.
<br>
<br>
Kind regards,
<br>
Ben
<br>
<br>
The ipsec connection file is as follows:
<br>
<br>
<blockquote type="cite">cat /etc/ipsec.d/gcp.conf conn %default
<br>
ikelifetime=600m # 36,000 s
<br>
keylife=180m # 10,800 s
<br>
rekeymargin=3m
<br>
keyingtries=3
<br>
keyexchange=ikev2
<br>
mobike=no
<br>
#ike=aes256gcm16-sha512-modp4096 # wouldn't connect with
this
<br>
esp=aes256gcm16-sha512-modp8192
<br>
authby=psk
<br>
<br>
conn gcp-prod
<br>
leftupdown="/var/lib/strongswan/ipsec-vti.sh 0
169.254.1.1/30 169.254.1.2/30"
<br>
left=94.190.242.6
<br>
leftid=94.190.242.6
<br>
leftsubnet=10.43.0.0/16
<br>
leftauth=psk
<br>
right=35.242.22.169
<br>
rightid=35.242.22.169
<br>
rightsubnet=10.44.0.0/16
<br>
rightauth=psk
<br>
type=tunnel
<br>
auto=add
<br>
dpdaction=restart
<br>
mark=%unique
<br>
</blockquote>
<br>
'ipsec statusall' shows this:
<br>
<br>
<blockquote type="cite">Status of IKE charon daemon (strongSwan
5.5.1, Linux 4.9.0-14-amd64, x86_64):
<br>
uptime: 24 minutes, since Feb 17 23:36:00 2021
<br>
malloc: sbrk 2433024, mmap 0, used 288320, free 2144704
<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 3
<br>
loaded plugins: charon aes rc2 sha2 sha1 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink
resolve socket-default stroke updown
<br>
Listening IP addresses:
<br>
94.190.242.6
<br>
94.190.242.132
<br>
192.168.10.100
<br>
10.43.0.10
<br>
169.254.1.2
<br>
Connections:
<br>
gcp-prod: 94.190.242.6...35.242.22.169 IKEv2, dpddelay=30s
<br>
gcp-prod: local: [94.190.242.6] uses pre-shared key
authentication
<br>
gcp-prod: remote: [35.242.22.169] uses pre-shared key
authentication
<br>
gcp-prod: child: 10.43.0.0/16 === 10.44.0.0/16 TUNNEL,
dpdaction=restart
<br>
Security Associations (1 up, 0 connecting):
<br>
gcp-prod[2]: ESTABLISHED 24 minutes ago,
94.190.242.6[94.190.242.6]...35.242.22.169[35.242.22.169]
<br>
gcp-prod[2]: IKEv2 SPIs: bd548d31aa21287f_i
1a8c6dee54f1888b_r*, pre-shared key reauthentication in 9 hours
<br>
gcp-prod[2]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
<br>
gcp-prod{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs:
cebf075b_i a0809ae4_o
<br>
gcp-prod{1}: AES_GCM_16_256, 130800 bytes_i, 0 bytes_o,
rekeying in 2 hours
<br>
gcp-prod{1}: 10.43.0.0/16 === 10.44.0.0/16
<br>
</blockquote>
<br>
'ip route ls' shows this:
<br>
<blockquote type="cite">default via 94.190.242.1 dev eth0 onlink
10.43.0.0/16 dev bond0 proto kernel scope link src 10.43.0.10
10.44.0.0/16 dev vti0 scope link 94.190.242.0/25 dev eth0 proto
kernel scope link src 94.190.242.6 94.190.242.128/25 dev eth0
proto kernel scope link src 94.190.242.132 169.254.1.0/30 dev
vti0 proto kernel scope link src 169.254.1.2 192.168.10.0/24 dev
eth1 proto kernel scope link src 192.168.10.100
<br>
</blockquote>
<br>
'ip route ls' shows this:
<br>
<blockquote type="cite">default via 94.190.242.1 dev eth0 onlink
10.43.0.0/16 dev bond0 proto kernel scope link src 10.43.0.10
94.190.242.0/25 dev eth0 proto kernel scope link src
94.190.242.6 94.190.242.128/25 dev eth0 proto kernel scope link
src 94.190.242.132 169.254.1.0/30 dev vti0 proto kernel scope
link src 169.254.1.2 192.168.10.0/24 dev eth1 proto kernel scope
link src 192.168.10.100 </blockquote>
<br>
'birdc show route' shows this:
<br>
<blockquote type="cite">BIRD 1.6.3 ready.
<br>
0.0.0.0/0 via 94.190.242.1 on eth0 [kernel1 00:50:45] *
(10)
<br>
169.254.1.0/30 dev vti0 [direct1 00:50:45] * (240)
<br>
94.190.242.128/25 dev eth0 [direct1 00:50:45] * (240)
<br>
94.190.242.0/25 dev eth0 [direct1 00:50:45] * (240)
<br>
192.168.10.0/24 dev eth1 [direct1 00:50:45] * (240)
<br>
10.43.0.0/16 dev bond0 [direct1 00:50:45] * (240)
<br>
</blockquote>
<br>
'ip rule ls' shows this:
<br>
<blockquote type="cite">0: from all lookup local 220: from
all lookup 220 32766: from all lookup main 32767: from all
lookup default </blockquote>
<br>
'ip a sh vti0' shows this:
<br>
<blockquote type="cite">11: vti0@NONE:
<POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1387 qdisc noqueue
state UNKNOWN group default qlen 1
<br>
link/ipip 94.190.242.6 peer 35.242.22.169
<br>
inet 169.254.1.2 peer 169.254.1.1/30 scope global vti0
<br>
valid_lft forever preferred_lft forever
<br>
</blockquote>
<br>
'ip a sh ip_vti0' shows this:
<br>
<blockquote type="cite">9: ip_vti0@NONE: <NOARP> mtu 1480
qdisc noop state DOWN group default qlen 1
<br>
link/ipip 0.0.0.0 brd 0.0.0.0
<br>
</blockquote>
<br>
</blockquote>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>