[strongSwan] Strongswan and VTI
Jérémie Vandeville
j.vandeville at gmail.com
Tue Dec 23 13:52:18 CET 2014
I have a clue. If I add the following iptables rule :
bob at hostB:~# sudo iptables -t mangle -A PREROUTING -p esp -s
192.168.42.32 -d 192.168.42.12 -j MARK --set-mark 15
I can see the ICMP packet but no answer from the loopback...
root at hostB:~# tcpdump -nni eth0 esp or icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:44:34.363952 IP 192.168.42.32 > 192.168.42.12:
ESP(spi=0xcff5b152,seq=0x76), length 132
13:44:34.363952 IP 10.0.0.1 > 10.0.1.1: ICMP echo request, id 1187,
seq 5, length 64
Anyone has a idea ?
2014-12-21 19:13 GMT+01:00 Jérémie Vandeville <j.vandeville at gmail.com>:
> Hi everyone, I’m trying to test VTI with strongswan but it's not working :(
>
> OS : ubuntu server 14.04 (kernel 3.13)
> Strongswan version : 5.1.2
>
> It’s a verify simple configuration. I use the lookpack interface to
> simulate the remote subnets
>
> 10.0.0.0/24 -- (host A) 192.168.42.32/24 -- 192.168.42.12/24 (host B)
> -- 10.0.1.0/24
>
> Host A (192.168.42.32)
>
> conn test
> left=192.168.42.32
> leftid=192.168.42.32
> right=192.168.42.12
> rightid=192.168.42.12
> auto=add
> authby=psk
> keyexchange=ikev2
> mark=0xf
>
> ip link add sti15 type vti key 15 remote 192.168.42.12 local 192.168.42.32
> ip link set up dev sti15
> ip add add 10.0.0.1/24 dev lo
> ip route add 10.0.1.0/24 dev sti15
>
> sysctl -w net.ipv4.conf.default.rp_filter=0
> sysctl -w net.ipv4.conf.all.rp_filter=0
> sysctl -w net.ipv4.ip_forward=1
>
> Host B (192.168.42.12)
>
> conn test
> right=192.168.42.32
> rightid=192.168.42.32
> left=192.168.42.12
> leftid=192.168.42.12
> auto=add
> authby=psk
> keyexchange=ikev2
> mark=0xf
>
> ip link add sti15 type vti key 15 remote 192.168.42.32 local 192.168.42.12
> ip link set up dev sti15
> ip add add 10.0.1.1/24 dev lo
> ip route add 10.0.0.0/24 dev sti15
>
> sysctl -w net.ipv4.conf.default.rp_filter=0
> sysctl -w net.ipv4.conf.all.rp_filter=0
> sysctl -w net.ipv4.ip_forward=1
>
> I can establish the tunnel
>
> bob at hostA:~$ sudo ipsec up test
> bob at hostA:~$ sudo ip xfrm state
> src 192.168.42.32 dst 192.168.42.12
> proto esp spi 0xc6d2e5b7 reqid 1 mode tunnel
> replay-window 32 flag af-unspec
> mark 15/0xffffffff
> auth-trunc hmac(sha1) 0x3e531e56d793fee295333f7332a668fc2d92e5c2 96
> enc cbc(aes) 0x56c5992436c20856c3f21364669573e1
> src 192.168.42.12 dst 192.168.42.32
> proto esp spi 0xccc14d12 reqid 1 mode tunnel
> replay-window 32 flag af-unspec
> mark 15/0xffffffff
> auth-trunc hmac(sha1) 0xdba56f05e09b117a8f25389fbffadbcb928857a2 96
> enc cbc(aes) 0xc563ec45190cf6520309e7ddc2b3416f
>
> but I can't ping 10.0.1.1 with 10.0.0.1
>
> bob at hostA:~$ ping 10.0.1.1 -I 10.0.0.1
> PING 10.0.1.1 (10.0.1.1) from 10.0.0.1 : 56(84) bytes of data.
> ^C
> --- 10.0.1.1 ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 999ms
>
> But on host B, I can see the ESP packets coming
>
> bob at hostB:~$ sudo tcpdump -nni eth0 esp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 19:08:14.489013 IP 192.168.42.32 > 192.168.42.12:
> ESP(spi=0xc9d53704,seq=0x3), length 132
> 19:08:15.487248 IP 192.168.42.32 > 192.168.42.12:
> ESP(spi=0xc9d53704,seq=0x4), length 132
>
> But no answers... Where is my mistake ? Thanks and sorry for my bad english
More information about the Users
mailing list