[strongSwan] Strongswan using VTI - got it working!

Olivier PELERIN olivier_pelerin at hotmail.com
Fri Dec 19 14:53:47 CET 2014


Many thanks guys:

I was too exited and I've loaded my setup again. Now I can ping my linux from the Cisco router. 
It's exciting to have a VTI working on linux, it's the best way of setting up VPN's since we can easily setup a routing protocol on the overlay.



Indeed turning on the martian logs have revealed:

manowar python # tail -f /var/log/messages 
Dec 19 09:51:32 manowar kernel: IPv4: martian source 10.0.0.1 from 10.0.0.2, on dev vti0
Dec 19 09:51:32 manowar kernel: ll header: 00000000: 52 83 87 99 0b d6 aa bb cc 00 65 00 08 00 45 00  R.........e...E.
Dec 19 09:51:32 manowar kernel: ll header: 00000010: 00 64 05 33 00 00 ff 01 a2 63 0a 00 00 02 0a 00  .d.3.....c......
Dec 19 09:51:32 manowar kernel: ll header: 00000020: 00 01 08 00 92 41 00 1c 00 33 00 00 00 00 05 79  .....A...3.....y
Dec 19 09:51:32 manowar kernel: ll header: 00000030: e6 40 ab cd          

After that I did

manowar python # echo "0" > /proc/sys/net/ipv4/conf/vti0/rp_filter 

Then I saw the traffic from 10.0.0.1 to 10.0.0.2 was in fact going in clear via my netio0 interface

I guess I was using 

manowar strongswan_ikev2_vti # ip route list table 220
default via 10.1.1.254 dev netio0  proto static 

Then I did 

ip route del table 220 default

Question:  what is the use of that table 220? Do we have a CLI to avoid Strongswan installing that route? It's not necessary in case of VTI. It would be very nice to be able controlling it.

As of this stage I can ping from my Cisco router the linux box.

R101-HUB#clear crypto sa counters 
R101-HUB#ping 10.0.0.1 repeat 100 
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/5/6 ms
R101-HUB#sh crypto session detail 
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Tunnel0
Profile: linux
Uptime: 00:30:28
Session status: UP-ACTIVE     
Peer: 10.1.1.1 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.1.1.1
      Desc: (none)
  Session ID: 7  
  IKEv2 SA: local 10.1.1.254/4500 remote 10.1.1.1/4500 Active 
          Capabilities:(none) connid:1 lifetime:23:29:32
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 100 drop 0 life (KB/Sec) 4224917/1772
        Outbound: #pkts enc'ed 100 drop 0 life (KB/Sec) 4224785/1772

Out of interest I did:

1) Create the VTI interface with mark32

ip tunnel add vti0 mode vti local 10.1.1.1 remote 10.1.1.254 okey 32 ikey 32
ip link set vti0 up
ip addr add 10.0.0.1/30 remote 10.0.0.2/30 dev vti0


2) Configure strongswan

conn VTI
        keyexchange=ikev2
        ike=aes256-sha1-modp1024
        esp=aes256-sha1!
        left=10.1.1.1
        leftid=10.1.1.1
        leftauth=psk
        leftsubnet=0.0.0.0/0
        rightauth=psk
        right=10.1.1.254
        rightid=10.1.1.254
        rightsubnet=0.0.0.0/0
        auto=start
        mark=32
 
3) Disable RP_filters on the vti0 intf 

 echo "0" > /proc/sys/net/ipv4/conf/vti0/rp_filter 

4) Erase the default in the table 220 

ip route del table 220 default




Merry Xmas and Happy new year!

Olivier Pelerin

From: olivier_pelerin at hotmail.com
To: schwarz at gaertner.de
Date: Fri, 19 Dec 2014 13:28:16 +0100
CC: users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan using VTI




Interesting!

Let me try that out after Christmas!

Regards

> Date: Thu, 18 Dec 2014 17:15:07 +0100
> From: schwarz at gaertner.de
> To: olivier_pelerin at hotmail.com
> CC: avalentin at marcant.net; users at lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan using VTI
> 
> Hi,
> >>>>> "OP" == Olivier PELERIN <olivier_pelerin at hotmail.com> writes:
> 
> OP> Tried to follow this kernel commit - it does not work
> 
> OP> https://lists.ubuntu.com/archives/kernel-team/2013-November/034116.html
> 
> OP> It seems utterly broken
> 
> OP> From: olivier_pelerin at hotmail.com
> OP> To: avalentin at marcant.net; users at lists.strongswan.org
> OP> Date: Thu, 18 Dec 2014 10:11:23 +0100
> OP> Subject: Re: [strongSwan] Strongswan using VTI
> 
> OP> Will try it out
> 
> OP> When I strace my ping I'm getting  (Resource temporarily unavailable) when we receive the echo-reply
> 
> OP> sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("10.0.0.2")}, msg_iov(1)=[{"\10\0\312\350Y\362\00096\231\222T\0\0\0\0K+\0\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_IP, cmsg_type=, ...}, msg_flags=0}, 0) = 64
> OP> recvmsg(3, 0x7fff93401680, 0)           = -1 EAGAIN (Resource temporarily unavailable)
> OP> gettimeofday({1418893623, 10985}, NULL) = 0
> OP> gettimeofday({1418893623, 11029}, NULL) = 0
> 
> check your kernel parameter xfrm4_gc_thresh with:
> 
>      cat /proc/sys/net/ipv4/xfrm4_gc_thresh
> 
> if you see 1024 or even 2048 as the result, it's way to low.  bump it
> up with:
> 
>      echo 262144 > /proc/sys/net/ipv4/xfrm4_gc_thresh
> 
> and check your ping/traceroute again.  if you succseed, make your
> setting permanet and add
> 
>      net.ipv4.xfrm4_gc_thresh = 262144
> 
> to /etc/sysctl.conf.
> 					kind regards, schwarz
> 
> -- 
>  Gärtner Datensysteme GmbH & Co. KG                  Komplementärin:
>                                                      Gärtner Datensysteme
>  Hamburger Str. 273a      Tel. (0531) 2 33 55 55     Verwaltungs GmbH
>  38114 Braunschweig       Fax  (0531) 2 33 55 56
>                                                      Amtsgericht Braunschweig
>  Amtsgericht Braunschweig HRA 200 848                HRB 202 115
> 
>  GmbH-Geschäftsführung:
>  Christine Müller   Martin Neitzel   Ulrich Schwarz  Dr. Stefan Gärtner
 		 	   		  

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141219/4dda8d05/attachment-0001.html>


More information about the Users mailing list