[strongSwan] Strongswan and VTI

Noel Kuntze noel at familie-kuntze.de
Tue Dec 23 20:35:21 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Jeremie,

Please read the thread at [1].
VTI tunnels have been discussed in great detail just a couple of days ago and made working.

[1] https://lists.strongswan.org/pipermail/users/2014-December/007108.html

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

On 23.12.2014 13:52, Jérémie Vandeville wrote:
> I have a clue. If I add the following iptables rule :
>
> bob at hostB:~# sudo iptables -t mangle -A PREROUTING -p esp -s
> 192.168.42.32 -d 192.168.42.12 -j MARK --set-mark 15
>
> I can see the ICMP packet but no answer from the loopback...
>
> root at hostB:~# tcpdump -nni eth0 esp or icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 13:44:34.363952 IP 192.168.42.32 > 192.168.42.12:
> ESP(spi=0xcff5b152,seq=0x76), length 132
> 13:44:34.363952 IP 10.0.0.1 > 10.0.1.1: ICMP echo request, id 1187,
> seq 5, length 64
>
> Anyone has a idea  ?
>
> 2014-12-21 19:13 GMT+01:00 Jérémie Vandeville <j.vandeville at gmail.com>:
>> Hi everyone, I’m trying to test VTI with strongswan but it's not working :(
>>
>> OS : ubuntu server 14.04 (kernel 3.13)
>> Strongswan version : 5.1.2
>>
>> It’s a verify simple configuration. I use the lookpack interface to
>> simulate the remote subnets
>>
>> 10.0.0.0/24 -- (host A) 192.168.42.32/24 -- 192.168.42.12/24 (host B)
>> -- 10.0.1.0/24
>>
>> Host A (192.168.42.32)
>>
>> conn test
>>         left=192.168.42.32
>>         leftid=192.168.42.32
>>         right=192.168.42.12
>>         rightid=192.168.42.12
>>         auto=add
>>         authby=psk
>>         keyexchange=ikev2
>>         mark=0xf
>>
>> ip link add sti15 type vti key 15 remote 192.168.42.12 local 192.168.42.32
>> ip link set up dev sti15
>> ip add add 10.0.0.1/24 dev lo
>> ip route add 10.0.1.0/24 dev sti15
>>
>> sysctl -w net.ipv4.conf.default.rp_filter=0
>> sysctl -w net.ipv4.conf.all.rp_filter=0
>> sysctl -w net.ipv4.ip_forward=1
>>
>> Host B (192.168.42.12)
>>
>> conn test
>>         right=192.168.42.32
>>         rightid=192.168.42.32
>>         left=192.168.42.12
>>         leftid=192.168.42.12
>>         auto=add
>>         authby=psk
>>         keyexchange=ikev2
>>         mark=0xf
>>
>> ip link add sti15 type vti key 15 remote 192.168.42.32 local 192.168.42.12
>> ip link set up dev sti15
>> ip add add 10.0.1.1/24 dev lo
>> ip route add 10.0.0.0/24 dev sti15
>>
>> sysctl -w net.ipv4.conf.default.rp_filter=0
>> sysctl -w net.ipv4.conf.all.rp_filter=0
>> sysctl -w net.ipv4.ip_forward=1
>>
>> I can establish the tunnel
>>
>> bob at hostA:~$ sudo ipsec up test
>> bob at hostA:~$ sudo ip xfrm state
>> src 192.168.42.32 dst 192.168.42.12
>>         proto esp spi 0xc6d2e5b7 reqid 1 mode tunnel
>>         replay-window 32 flag af-unspec
>>         mark 15/0xffffffff
>>         auth-trunc hmac(sha1) 0x3e531e56d793fee295333f7332a668fc2d92e5c2 96
>>         enc cbc(aes) 0x56c5992436c20856c3f21364669573e1
>> src 192.168.42.12 dst 192.168.42.32
>>         proto esp spi 0xccc14d12 reqid 1 mode tunnel
>>         replay-window 32 flag af-unspec
>>         mark 15/0xffffffff
>>         auth-trunc hmac(sha1) 0xdba56f05e09b117a8f25389fbffadbcb928857a2 96
>>         enc cbc(aes) 0xc563ec45190cf6520309e7ddc2b3416f
>>
>> but I can't ping 10.0.1.1 with 10.0.0.1
>>
>> bob at hostA:~$  ping 10.0.1.1 -I 10.0.0.1
>> PING 10.0.1.1 (10.0.1.1) from 10.0.0.1 : 56(84) bytes of data.
>> ^C
>> --- 10.0.1.1 ping statistics ---
>> 2 packets transmitted, 0 received, 100% packet loss, time 999ms
>>
>> But on host B, I can see the ESP packets coming
>>
>> bob at hostB:~$ sudo tcpdump -nni eth0 esp
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>> 19:08:14.489013 IP 192.168.42.32 > 192.168.42.12:
>> ESP(spi=0xc9d53704,seq=0x3), length 132
>> 19:08:15.487248 IP 192.168.42.32 > 192.168.42.12:
>> ESP(spi=0xc9d53704,seq=0x4), length 132
>>
>> But no answers... Where is my mistake ? Thanks and sorry for my bad english
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUmcP4AAoJEDg5KY9j7GZYhcYQAJy11BalwDREvLn86kCwCGlu
OTVs6G/45cwUkzhL34AHc6bP/LvcxKLi6pp1hgazLKbf8gxqeRDdyvc6aJs+I+Ve
w/DFigNJkdpmvV9bAsLEIqUiTYnNI5Lrott0/siH4qFFrK5Z1sEVlQidMpfzHoCX
pRrZTr16KWYi3sjINKMqOtiqvfyCk5kESKMvKtRDhM1zsgq3UCPr8IPgKSeYHMb7
HpZKn2WLwWkMKJg3Rr5sBrTJfDgQ+FVjTs6gQyCd+d8VIC6bCFhUn2xjX0jcBUq9
9jl5beO2GztjCLx0eboUa+5q+qj3e/jV8+dT81LNRo0k9mKASRy1sEGAI69xFSca
/+WbKd0Kw+pUw+CpOM3W4kgn65kOvpZ+GtmE2msh6GOIAUQc2YkSWmDc5N+tuI0C
6kqujedVpyVzi5JbYOOaG0GuAyc7zAZS4j4n7Fz1wgeHNdvgiNYwyLcepoFraCwq
NBHR9+S5YpDlVAooDQKvus4WcKJqFaDp7zNkbppiduFZp/AZjYHkRZ5pa/aSVa4z
ICpXPaahAccShCfOX4K8VSqxeUIvj9nZqWcmxVP7t1F8F+rrFH2hlQzcWEOfNSIB
ugetBYnnncz3MXIKIOWtilCjIth/jK9+Aj6eFqvgdqLDInpZ55K6xCGs0nlyhzx0
Q9PhB65n5FKcSvMYZKG3
=pcs7
-----END PGP SIGNATURE-----

More information about the Users mailing list