[strongSwan] Using StrongSwan with VTI devices

Brad Johnson bjohnson at ecessa.com
Fri May 9 15:26:11 CEST 2014 

Hello,
Here is my config for Site1:
--------------------------------

conn Site1
     left=10.1.1.2
     right=10.1.3.2
     auto=start
     leftsubnet=192.168.10.0/24
     rightsubnet=192.168.11.0/24
     keyingtries=%forever
     leftauth=psk
     rightauth=psk
     ikelifetime=8h
     ike=aes256-sha1-modp1536
     esp=aes256-sha1
     mark=32

# /etc/ipsec.secrets - strongSwan IPsec secrets file
10.1.1.2 10.1.3.2 : PSK "secret"

# mangle PREROUTING rules:
iptables -t mangle -A PREROUTING -s 192.168.10.0/24 -d 192.168.11.0/24 
-j MARK --set-mark 32
iptables -t mangle -A PREROUTING -p esp -s 10.1.3.2 -d 10.1.1.2 -j MARK 
--set-mark 32

For Site2:
---------------------------

conn Site2
     left=10.1.3.2
     right=10.1.1.2
     auto=add
     leftsubnet=192.168.11.0/24
     rightsubnet=192.168.10.0/24
     keyingtries=%forever
     leftauth=psk
     rightauth=psk
     ikelifetime=8h
     ike=aes256-sha1-modp1536
     esp=aes256-sha1
     mark=32

# /etc/ipsec.secrets - strongSwan IPsec secrets file
10.1.3.2 10.1.1.2 : PSK "secret"

# mangle PREROUTING rules:
iptables -t mangle -A PREROUTING -s 192.168.11.0/24 -d 192.168.10.0/24 
-j MARK --set-mark 32
iptables -t mangle -A PREROUTING -p esp -s 10.1.1.2 -d 10.1.3.2 -j MARK 
--set-mark 32

----------------------------------------------------------------------------
Now I have figured out how to associate the connection with a VTI link, 
and can then skip the iptables rules and use normal routing over the VTI 
tunnel (do this on both sites):
# Create a VTI link on Site1 with same mark as the connection:
ip link add vti0 type vti local 10.1.1.2 remote 10.1.3.2 key 32
# Add route to tunnel:
ip route add 192.168.11.0/24 dev vti0

With that, traffic outbound to the Site2 LAN goes out the tunnel and 
gets properly encrypted. The only problem left then is the inbound 
direction. When you set a mark value in the ipsec.conf connection, that 
mark gets set on all the SA's and SP's (xfrm state and xfrm policy). As 
mentioned here (http://www.spinics.net/lists/netdev/msg253134.html) for 
the inbound encrypted packets to get directed into the vti tunnel the 
inbound SA should have no mark (the 'wildcard' mark). So to get this to 
properly work you need to modify the inbound xfrm state to have no mark. 
We chose instead to apply a small patch to strongSwan code to not mark 
the inbound SA.

Regards,
Brad

On 05/09/2014 04:46 AM, Bogdan-Constantin Popescu wrote:
> Hello,
>
> Could you please share your ping-working configuration with me?
> I'm trying to achieve the same thing (use StrongSwan with VTI devices)
> and don't have any results yet, not even the ping between the hosts.
> I would have replied in the mailing list, but I just subscribed to it
> and I don't know how to reply to an older message from the list.
>
> Thanks in advance,
>
> Bogdan Popescu
>
> On 04/25/2014 10:33 AM, Brad Johnson wrote:
>> I am trying to get StrongSwan working together with VTI type links or
>> tunnels for more flexibility with marking and routing VPN traffic. We
>> are running a Gentoo distro with StrongSwan version 5.1.2 and kernel
>> 3.10.26. I need to figure out how to properly associate a VTI type
>> link with an ipsec SA and policy. I have successfully connected a SA
>> with 'mark_in=32' and 'mark_out=32' in the conn section of ipsec.conf,
>> and added the proper iptables mangle prerouting rules to mark inbound
>> and outbound packets (' -j MARK --set-mark 32'). With that I can
>> successfully ping end-to-end over the VPN (from host behind one router
>> to host behind the remote router).
>> Now I have created a VTI link like this:
>> # ip link add vti0 type vti local x.x.x.x remote y.y.y.y ikey 32 okey 32
>>
>> And I have tried many ways to associate this link with my ipsec SA
>> without success. And after much searching the Internet I have found
>> very little help. According to this linux kernel patch:
>> http://www.spinics.net/lists/netdev/msg253134.html it seems there
>> should be no need for additional iptables marking rules, but after
>> following the instructions there I still could not get it to work.
>>
>> Any help with this would be greatly appreciated.

More information about the Users mailing list