[strongSwan] Strongswan using VTI
Ryan Ruel
ryan0751 at gmail.com
Wed Dec 17 12:50:47 CET 2014
I was just trying to get this to work the other day myself and also had problems with the routing.
It wasn’t clear to me if you still need to create the PREROUTING mangle rules. such as:
# mangle PREROUTING rules:
iptables -t mangle -A PREROUTING -s 192.168.10.0/24 -d 192.168.11.0/24
-j MARK --set-mark 32
iptables -t mangle -A PREROUTING -p esp -s 10.1.3.2 -d 10.1.1.2 -j MARK
--set-mark 32
From what I had read the Kernel might have been patched to no longer require this?
Have you checked the SA stats on the Linux box (setkey -D or using the ip xfrm command) to see if the packets are matching the SA and are being decrypted?
/Ryan
> On Dec 17, 2014, at 6:08 AM, Olivier PELERIN <olivier_pelerin at hotmail.com> wrote:
>
> Dear Strongswan alias,
>
> I'm trying a VTI config between a linux box and a cisco router.
>
> I've created a VTI interface on my linux
>
> ip tunnel add vti0 mode vti local 10.1.1.1 remote 10.1.1.254 okey 32 ikey 32
> ip link set vti0 up
> ip addr add 10.0.0.1/30 remote 10.0.0.2/30 dev vti0
>
> conn VTI
> keyexchange=ikev2
> ike=aes256-sha1-modp1024
> esp=aes256-sha1!
> leftid=10.1.1.1
> leftauth=psk
> leftsubnet=0.0.0.0/0
> rightauth=psk
> right=10.1.1.254
> rightid=10.1.1.254
> rightsubnet=0.0.0.0/0
> mark=32
> auto=route
>
>
>
>
> manowar python # ipsec statusall
> Status of IKE charon daemon (strongSwan 5.2.2rc1, Linux 3.18.1-gentoo, x86_64):
> uptime: 114 seconds, since Dec 17 11:53:47 2014
> malloc: sbrk 2416640, mmap 0, used 373840, free 2042800
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
> loaded plugins: charon ldap aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
> Listening IP addresses:
> 192.168.255.134
> 10.1.1.1
> 10.0.0.1
> Connections:
> VTI: %any...10.1.1.254 IKEv2
> VTI: local: [10.1.1.1] uses pre-shared key authentication
> VTI: remote: [10.1.1.254] uses pre-shared key authentication
> VTI: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL
> Routed Connections:
> VTI{1}: ROUTED, TUNNEL
> VTI{1}: 0.0.0.0/0 === 0.0.0.0/0
> Security Associations (1 up, 0 connecting):
> VTI[1]: ESTABLISHED 109 seconds ago, 10.1.1.1[10.1.1.1]...10.1.1.254[10.1.1.254]
> VTI[1]: IKEv2 SPIs: e1e9a005055323ab_i* 78c7cc9d34a5886f_r, pre-shared key reauthentication in 2 hours
> VTI[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> VTI{1}: INSTALLED, TUNNEL, ESP SPIs: c8031e20_i 37b2a5a2_o
> VTI{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 1848 bytes_o (22 pkts, 8s ago), rekeying in 44 minutes
> VTI{1}: 0.0.0.0/0 === 0.0.0.0/0
>
>
> I do have ESP in
>
> manowar python # tcpdump -nNi netio0
> error : ret -1
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on netio0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 12:07:57.840726 IP 10.1.1.1 > 10.1.1.254: ESP(spi=0x37b2a5a2,seq=0x2bf), length 132
> 12:07:57.841405 IP 10.1.1.254 > 10.1.1.1: ESP(spi=0xc8031e20,seq=0x2bf), length 132
> 12:07:58.840971 IP 10.1.1.1 > 10.1.1.254: ESP(spi=0x37b2a5a2,seq=0x2c0), length 132
> 12:07:58.841336 IP 10.1.1.254 > 10.1.1.1: ESP(spi=0xc8031e20,seq=0x2c0), length 132
>
>
> But it seems not be decapsulated by the kernel.
>
> Any ideas why?
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141217/7122cf15/attachment.html>
More information about the Users
mailing list