[strongSwan] Strongswan and VTI

Jérémie Vandeville j.vandeville at gmail.com
Sun Dec 21 19:13:40 CET 2014 

Hi everyone, I’m trying to test VTI with strongswan but it's not working :(

OS : ubuntu server 14.04 (kernel 3.13)
Strongswan version : 5.1.2

It’s a verify simple configuration. I use the lookpack interface to
simulate the remote subnets

10.0.0.0/24 -- (host A) 192.168.42.32/24 -- 192.168.42.12/24 (host B)
-- 10.0.1.0/24

Host A (192.168.42.32)

conn test
        left=192.168.42.32
        leftid=192.168.42.32
        right=192.168.42.12
        rightid=192.168.42.12
        auto=add
        authby=psk
        keyexchange=ikev2
        mark=0xf

ip link add sti15 type vti key 15 remote 192.168.42.12 local 192.168.42.32
ip link set up dev sti15
ip add add 10.0.0.1/24 dev lo
ip route add 10.0.1.0/24 dev sti15

sysctl -w net.ipv4.conf.default.rp_filter=0
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.ip_forward=1

Host B (192.168.42.12)

conn test
        right=192.168.42.32
        rightid=192.168.42.32
        left=192.168.42.12
        leftid=192.168.42.12
        auto=add
        authby=psk
        keyexchange=ikev2
        mark=0xf

ip link add sti15 type vti key 15 remote 192.168.42.32 local 192.168.42.12
ip link set up dev sti15
ip add add 10.0.1.1/24 dev lo
ip route add 10.0.0.0/24 dev sti15

sysctl -w net.ipv4.conf.default.rp_filter=0
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.ip_forward=1

I can establish the tunnel

bob at hostA:~$ sudo ipsec up test
bob at hostA:~$ sudo ip xfrm state
src 192.168.42.32 dst 192.168.42.12
        proto esp spi 0xc6d2e5b7 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        mark 15/0xffffffff
        auth-trunc hmac(sha1) 0x3e531e56d793fee295333f7332a668fc2d92e5c2 96
        enc cbc(aes) 0x56c5992436c20856c3f21364669573e1
src 192.168.42.12 dst 192.168.42.32
        proto esp spi 0xccc14d12 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        mark 15/0xffffffff
        auth-trunc hmac(sha1) 0xdba56f05e09b117a8f25389fbffadbcb928857a2 96
        enc cbc(aes) 0xc563ec45190cf6520309e7ddc2b3416f

but I can't ping 10.0.1.1 with 10.0.0.1

bob at hostA:~$  ping 10.0.1.1 -I 10.0.0.1
PING 10.0.1.1 (10.0.1.1) from 10.0.0.1 : 56(84) bytes of data.
^C
--- 10.0.1.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

But on host B, I can see the ESP packets coming

bob at hostB:~$ sudo tcpdump -nni eth0 esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:08:14.489013 IP 192.168.42.32 > 192.168.42.12:
ESP(spi=0xc9d53704,seq=0x3), length 132
19:08:15.487248 IP 192.168.42.32 > 192.168.42.12:
ESP(spi=0xc9d53704,seq=0x4), length 132

But no answers... Where is my mistake ? Thanks and sorry for my bad english

More information about the Users mailing list