[strongSwan] Fwd: Strongswan and VTI
Jérémie Vandeville
j.vandeville at gmail.com
Wed Dec 24 11:42:04 CET 2014
---------- Forwarded message ----------
From: Jérémie Vandeville <j.vandeville at gmail.com>
Date: 2014-12-24 11:39 GMT+01:00
Subject: Re: [strongSwan] Strongswan and VTI
To: Noel Kuntze <noel at familie-kuntze.de>
I don't know why I didn't see this sooner... Thanks.
Unfortunatly, even with olivier's configuration, it's still not
working... Anyway, I give up. Too much hack to make it working at this
time
2014-12-23 20:35 GMT+01:00 Noel Kuntze <noel at familie-kuntze.de>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Jeremie,
>
> Please read the thread at [1].
> VTI tunnels have been discussed in great detail just a couple of days ago and made working.
>
> [1] https://lists.strongswan.org/pipermail/users/2014-December/007108.html
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> On 23.12.2014 13:52, Jérémie Vandeville wrote:
>> I have a clue. If I add the following iptables rule :
>>
>> bob at hostB:~# sudo iptables -t mangle -A PREROUTING -p esp -s
>> 192.168.42.32 -d 192.168.42.12 -j MARK --set-mark 15
>>
>> I can see the ICMP packet but no answer from the loopback...
>>
>> root at hostB:~# tcpdump -nni eth0 esp or icmp
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>> 13:44:34.363952 IP 192.168.42.32 > 192.168.42.12:
>> ESP(spi=0xcff5b152,seq=0x76), length 132
>> 13:44:34.363952 IP 10.0.0.1 > 10.0.1.1: ICMP echo request, id 1187,
>> seq 5, length 64
>>
>> Anyone has a idea ?
>>
>> 2014-12-21 19:13 GMT+01:00 Jérémie Vandeville <j.vandeville at gmail.com>:
>>> Hi everyone, I’m trying to test VTI with strongswan but it's not working :(
>>>
>>> OS : ubuntu server 14.04 (kernel 3.13)
>>> Strongswan version : 5.1.2
>>>
>>> It’s a verify simple configuration. I use the lookpack interface to
>>> simulate the remote subnets
>>>
>>> 10.0.0.0/24 -- (host A) 192.168.42.32/24 -- 192.168.42.12/24 (host B)
>>> -- 10.0.1.0/24
>>>
>>> Host A (192.168.42.32)
>>>
>>> conn test
>>> left=192.168.42.32
>>> leftid=192.168.42.32
>>> right=192.168.42.12
>>> rightid=192.168.42.12
>>> auto=add
>>> authby=psk
>>> keyexchange=ikev2
>>> mark=0xf
>>>
>>> ip link add sti15 type vti key 15 remote 192.168.42.12 local 192.168.42.32
>>> ip link set up dev sti15
>>> ip add add 10.0.0.1/24 dev lo
>>> ip route add 10.0.1.0/24 dev sti15
>>>
>>> sysctl -w net.ipv4.conf.default.rp_filter=0
>>> sysctl -w net.ipv4.conf.all.rp_filter=0
>>> sysctl -w net.ipv4.ip_forward=1
>>>
>>> Host B (192.168.42.12)
>>>
>>> conn test
>>> right=192.168.42.32
>>> rightid=192.168.42.32
>>> left=192.168.42.12
>>> leftid=192.168.42.12
>>> auto=add
>>> authby=psk
>>> keyexchange=ikev2
>>> mark=0xf
>>>
>>> ip link add sti15 type vti key 15 remote 192.168.42.32 local 192.168.42.12
>>> ip link set up dev sti15
>>> ip add add 10.0.1.1/24 dev lo
>>> ip route add 10.0.0.0/24 dev sti15
>>>
>>> sysctl -w net.ipv4.conf.default.rp_filter=0
>>> sysctl -w net.ipv4.conf.all.rp_filter=0
>>> sysctl -w net.ipv4.ip_forward=1
>>>
>>> I can establish the tunnel
>>>
>>> bob at hostA:~$ sudo ipsec up test
>>> bob at hostA:~$ sudo ip xfrm state
>>> src 192.168.42.32 dst 192.168.42.12
>>> proto esp spi 0xc6d2e5b7 reqid 1 mode tunnel
>>> replay-window 32 flag af-unspec
>>> mark 15/0xffffffff
>>> auth-trunc hmac(sha1) 0x3e531e56d793fee295333f7332a668fc2d92e5c2 96
>>> enc cbc(aes) 0x56c5992436c20856c3f21364669573e1
>>> src 192.168.42.12 dst 192.168.42.32
>>> proto esp spi 0xccc14d12 reqid 1 mode tunnel
>>> replay-window 32 flag af-unspec
>>> mark 15/0xffffffff
>>> auth-trunc hmac(sha1) 0xdba56f05e09b117a8f25389fbffadbcb928857a2 96
>>> enc cbc(aes) 0xc563ec45190cf6520309e7ddc2b3416f
>>>
>>> but I can't ping 10.0.1.1 with 10.0.0.1
>>>
>>> bob at hostA:~$ ping 10.0.1.1 -I 10.0.0.1
>>> PING 10.0.1.1 (10.0.1.1) from 10.0.0.1 : 56(84) bytes of data.
>>> ^C
>>> --- 10.0.1.1 ping statistics ---
>>> 2 packets transmitted, 0 received, 100% packet loss, time 999ms
>>>
>>> But on host B, I can see the ESP packets coming
>>>
>>> bob at hostB:~$ sudo tcpdump -nni eth0 esp
>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>>> 19:08:14.489013 IP 192.168.42.32 > 192.168.42.12:
>>> ESP(spi=0xc9d53704,seq=0x3), length 132
>>> 19:08:15.487248 IP 192.168.42.32 > 192.168.42.12:
>>> ESP(spi=0xc9d53704,seq=0x4), length 132
>>>
>>> But no answers... Where is my mistake ? Thanks and sorry for my bad english
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUmcP4AAoJEDg5KY9j7GZYhcYQAJy11BalwDREvLn86kCwCGlu
> OTVs6G/45cwUkzhL34AHc6bP/LvcxKLi6pp1hgazLKbf8gxqeRDdyvc6aJs+I+Ve
> w/DFigNJkdpmvV9bAsLEIqUiTYnNI5Lrott0/siH4qFFrK5Z1sEVlQidMpfzHoCX
> pRrZTr16KWYi3sjINKMqOtiqvfyCk5kESKMvKtRDhM1zsgq3UCPr8IPgKSeYHMb7
> HpZKn2WLwWkMKJg3Rr5sBrTJfDgQ+FVjTs6gQyCd+d8VIC6bCFhUn2xjX0jcBUq9
> 9jl5beO2GztjCLx0eboUa+5q+qj3e/jV8+dT81LNRo0k9mKASRy1sEGAI69xFSca
> /+WbKd0Kw+pUw+CpOM3W4kgn65kOvpZ+GtmE2msh6GOIAUQc2YkSWmDc5N+tuI0C
> 6kqujedVpyVzi5JbYOOaG0GuAyc7zAZS4j4n7Fz1wgeHNdvgiNYwyLcepoFraCwq
> NBHR9+S5YpDlVAooDQKvus4WcKJqFaDp7zNkbppiduFZp/AZjYHkRZ5pa/aSVa4z
> ICpXPaahAccShCfOX4K8VSqxeUIvj9nZqWcmxVP7t1F8F+rrFH2hlQzcWEOfNSIB
> ugetBYnnncz3MXIKIOWtilCjIth/jK9+Aj6eFqvgdqLDInpZ55K6xCGs0nlyhzx0
> Q9PhB65n5FKcSvMYZKG3
> =pcs7
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list