[strongSwan] Using StrongSwan with VTI devices
Brad Johnson
bjohnson at ecessa.com
Fri May 9 15:26:11 CEST 2014
Hello,
Here is my config for Site1:
--------------------------------
conn Site1
left=10.1.1.2
right=10.1.3.2
auto=start
leftsubnet=192.168.10.0/24
rightsubnet=192.168.11.0/24
keyingtries=%forever
leftauth=psk
rightauth=psk
ikelifetime=8h
ike=aes256-sha1-modp1536
esp=aes256-sha1
mark=32
# /etc/ipsec.secrets - strongSwan IPsec secrets file
10.1.1.2 10.1.3.2 : PSK "secret"
# mangle PREROUTING rules:
iptables -t mangle -A PREROUTING -s 192.168.10.0/24 -d 192.168.11.0/24
-j MARK --set-mark 32
iptables -t mangle -A PREROUTING -p esp -s 10.1.3.2 -d 10.1.1.2 -j MARK
--set-mark 32
For Site2:
---------------------------
conn Site2
left=10.1.3.2
right=10.1.1.2
auto=add
leftsubnet=192.168.11.0/24
rightsubnet=192.168.10.0/24
keyingtries=%forever
leftauth=psk
rightauth=psk
ikelifetime=8h
ike=aes256-sha1-modp1536
esp=aes256-sha1
mark=32
# /etc/ipsec.secrets - strongSwan IPsec secrets file
10.1.3.2 10.1.1.2 : PSK "secret"
# mangle PREROUTING rules:
iptables -t mangle -A PREROUTING -s 192.168.11.0/24 -d 192.168.10.0/24
-j MARK --set-mark 32
iptables -t mangle -A PREROUTING -p esp -s 10.1.1.2 -d 10.1.3.2 -j MARK
--set-mark 32
----------------------------------------------------------------------------
Now I have figured out how to associate the connection with a VTI link,
and can then skip the iptables rules and use normal routing over the VTI
tunnel (do this on both sites):
# Create a VTI link on Site1 with same mark as the connection:
ip link add vti0 type vti local 10.1.1.2 remote 10.1.3.2 key 32
# Add route to tunnel:
ip route add 192.168.11.0/24 dev vti0
With that, traffic outbound to the Site2 LAN goes out the tunnel and
gets properly encrypted. The only problem left then is the inbound
direction. When you set a mark value in the ipsec.conf connection, that
mark gets set on all the SA's and SP's (xfrm state and xfrm policy). As
mentioned here (http://www.spinics.net/lists/netdev/msg253134.html) for
the inbound encrypted packets to get directed into the vti tunnel the
inbound SA should have no mark (the 'wildcard' mark). So to get this to
properly work you need to modify the inbound xfrm state to have no mark.
We chose instead to apply a small patch to strongSwan code to not mark
the inbound SA.
Regards,
Brad
On 05/09/2014 04:46 AM, Bogdan-Constantin Popescu wrote:
> Hello,
>
> Could you please share your ping-working configuration with me?
> I'm trying to achieve the same thing (use StrongSwan with VTI devices)
> and don't have any results yet, not even the ping between the hosts.
> I would have replied in the mailing list, but I just subscribed to it
> and I don't know how to reply to an older message from the list.
>
> Thanks in advance,
>
> Bogdan Popescu
>
> On 04/25/2014 10:33 AM, Brad Johnson wrote:
>> I am trying to get StrongSwan working together with VTI type links or
>> tunnels for more flexibility with marking and routing VPN traffic. We
>> are running a Gentoo distro with StrongSwan version 5.1.2 and kernel
>> 3.10.26. I need to figure out how to properly associate a VTI type
>> link with an ipsec SA and policy. I have successfully connected a SA
>> with 'mark_in=32' and 'mark_out=32' in the conn section of ipsec.conf,
>> and added the proper iptables mangle prerouting rules to mark inbound
>> and outbound packets (' -j MARK --set-mark 32'). With that I can
>> successfully ping end-to-end over the VPN (from host behind one router
>> to host behind the remote router).
>> Now I have created a VTI link like this:
>> # ip link add vti0 type vti local x.x.x.x remote y.y.y.y ikey 32 okey 32
>>
>> And I have tried many ways to associate this link with my ipsec SA
>> without success. And after much searching the Internet I have found
>> very little help. According to this linux kernel patch:
>> http://www.spinics.net/lists/netdev/msg253134.html it seems there
>> should be no need for additional iptables marking rules, but after
>> following the instructions there I still could not get it to work.
>>
>> Any help with this would be greatly appreciated.
More information about the Users
mailing list