[strongSwan] Strongswan using VTI - got it working!
Olivier PELERIN
olivier_pelerin at hotmail.com
Fri Dec 19 14:53:47 CET 2014
Many thanks guys:
I was too exited and I've loaded my setup again. Now I can ping my linux from the Cisco router.
It's exciting to have a VTI working on linux, it's the best way of setting up VPN's since we can easily setup a routing protocol on the overlay.
Indeed turning on the martian logs have revealed:
manowar python # tail -f /var/log/messages
Dec 19 09:51:32 manowar kernel: IPv4: martian source 10.0.0.1 from 10.0.0.2, on dev vti0
Dec 19 09:51:32 manowar kernel: ll header: 00000000: 52 83 87 99 0b d6 aa bb cc 00 65 00 08 00 45 00 R.........e...E.
Dec 19 09:51:32 manowar kernel: ll header: 00000010: 00 64 05 33 00 00 ff 01 a2 63 0a 00 00 02 0a 00 .d.3.....c......
Dec 19 09:51:32 manowar kernel: ll header: 00000020: 00 01 08 00 92 41 00 1c 00 33 00 00 00 00 05 79 .....A...3.....y
Dec 19 09:51:32 manowar kernel: ll header: 00000030: e6 40 ab cd
After that I did
manowar python # echo "0" > /proc/sys/net/ipv4/conf/vti0/rp_filter
Then I saw the traffic from 10.0.0.1 to 10.0.0.2 was in fact going in clear via my netio0 interface
I guess I was using
manowar strongswan_ikev2_vti # ip route list table 220
default via 10.1.1.254 dev netio0 proto static
Then I did
ip route del table 220 default
Question: what is the use of that table 220? Do we have a CLI to avoid Strongswan installing that route? It's not necessary in case of VTI. It would be very nice to be able controlling it.
As of this stage I can ping from my Cisco router the linux box.
R101-HUB#clear crypto sa counters
R101-HUB#ping 10.0.0.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/5/6 ms
R101-HUB#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: Tunnel0
Profile: linux
Uptime: 00:30:28
Session status: UP-ACTIVE
Peer: 10.1.1.1 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 10.1.1.1
Desc: (none)
Session ID: 7
IKEv2 SA: local 10.1.1.254/4500 remote 10.1.1.1/4500 Active
Capabilities:(none) connid:1 lifetime:23:29:32
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 100 drop 0 life (KB/Sec) 4224917/1772
Outbound: #pkts enc'ed 100 drop 0 life (KB/Sec) 4224785/1772
Out of interest I did:
1) Create the VTI interface with mark32
ip tunnel add vti0 mode vti local 10.1.1.1 remote 10.1.1.254 okey 32 ikey 32
ip link set vti0 up
ip addr add 10.0.0.1/30 remote 10.0.0.2/30 dev vti0
2) Configure strongswan
conn VTI
keyexchange=ikev2
ike=aes256-sha1-modp1024
esp=aes256-sha1!
left=10.1.1.1
leftid=10.1.1.1
leftauth=psk
leftsubnet=0.0.0.0/0
rightauth=psk
right=10.1.1.254
rightid=10.1.1.254
rightsubnet=0.0.0.0/0
auto=start
mark=32
3) Disable RP_filters on the vti0 intf
echo "0" > /proc/sys/net/ipv4/conf/vti0/rp_filter
4) Erase the default in the table 220
ip route del table 220 default
Merry Xmas and Happy new year!
Olivier Pelerin
From: olivier_pelerin at hotmail.com
To: schwarz at gaertner.de
Date: Fri, 19 Dec 2014 13:28:16 +0100
CC: users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan using VTI
Interesting!
Let me try that out after Christmas!
Regards
> Date: Thu, 18 Dec 2014 17:15:07 +0100
> From: schwarz at gaertner.de
> To: olivier_pelerin at hotmail.com
> CC: avalentin at marcant.net; users at lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan using VTI
>
> Hi,
> >>>>> "OP" == Olivier PELERIN <olivier_pelerin at hotmail.com> writes:
>
> OP> Tried to follow this kernel commit - it does not work
>
> OP> https://lists.ubuntu.com/archives/kernel-team/2013-November/034116.html
>
> OP> It seems utterly broken
>
> OP> From: olivier_pelerin at hotmail.com
> OP> To: avalentin at marcant.net; users at lists.strongswan.org
> OP> Date: Thu, 18 Dec 2014 10:11:23 +0100
> OP> Subject: Re: [strongSwan] Strongswan using VTI
>
> OP> Will try it out
>
> OP> When I strace my ping I'm getting (Resource temporarily unavailable) when we receive the echo-reply
>
> OP> sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("10.0.0.2")}, msg_iov(1)=[{"\10\0\312\350Y\362\00096\231\222T\0\0\0\0K+\0\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_IP, cmsg_type=, ...}, msg_flags=0}, 0) = 64
> OP> recvmsg(3, 0x7fff93401680, 0) = -1 EAGAIN (Resource temporarily unavailable)
> OP> gettimeofday({1418893623, 10985}, NULL) = 0
> OP> gettimeofday({1418893623, 11029}, NULL) = 0
>
> check your kernel parameter xfrm4_gc_thresh with:
>
> cat /proc/sys/net/ipv4/xfrm4_gc_thresh
>
> if you see 1024 or even 2048 as the result, it's way to low. bump it
> up with:
>
> echo 262144 > /proc/sys/net/ipv4/xfrm4_gc_thresh
>
> and check your ping/traceroute again. if you succseed, make your
> setting permanet and add
>
> net.ipv4.xfrm4_gc_thresh = 262144
>
> to /etc/sysctl.conf.
> kind regards, schwarz
>
> --
> Gärtner Datensysteme GmbH & Co. KG Komplementärin:
> Gärtner Datensysteme
> Hamburger Str. 273a Tel. (0531) 2 33 55 55 Verwaltungs GmbH
> 38114 Braunschweig Fax (0531) 2 33 55 56
> Amtsgericht Braunschweig
> Amtsgericht Braunschweig HRA 200 848 HRB 202 115
>
> GmbH-Geschäftsführung:
> Christine Müller Martin Neitzel Ulrich Schwarz Dr. Stefan Gärtner
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141219/4dda8d05/attachment-0001.html>
More information about the Users
mailing list