[strongSwan] Fwd: loading ip_vti breaks IPSec connection

Joe M joe9mail at gmail.com
Tue Sep 16 20:38:31 CEST 2014 

Hello,

I am trying to figure out how vti works with the latest stable kernel
(3.16.2) or rc kernel (3.17.x).

If anyone has a working vti tunnel with strongswan, Can you please
share your configuration?

Do you have "mark=" in ipsec.conf? Do you use iptables rules to set
the mark? What are your vti tunnel's ikey and okey values? How do the
vti tunnel's remote and local correspond to the values in ipsec.conf
(when the client's have different public ip's and subnets)?

I use a custom kernel (gentoo distro), and got the seed from
kernel-seeds.org. I am also attaching my kernel config (config.gz) if
you want to check it out.

uname -a
Linux master 3.16.2-dirty #89 SMP PREEMPT Sun Sep 14 14:30:59 CDT 2014
x86_64 Intel(R) Pentium(R) CPU G620 @ 2.60GHz GenuineIntel GNU/Linux

It is dirty as I have been trying to add printk's to figure out ip_vti
behaviour. I can also try tthe latest rc kernel if that is what you
are using.

Without loading ip_vti (and mark= in ipsec.conf), I can get the pings
to work through the IPSec tunnel. I think I am doing something wrong
with the vti setup. Not setting the mark, okey, ikey or iptables rules
properly.

I am also attaching the note I sent to Mr. Steffen (author of the
latest patches to kernel's ip_vti) looking for help. It has my
configuration and xfrm policy and state.

I am using strongswan 5.2.0. Below is the gentoo configuration of
strongswan, if it helps.

eix --exact strongswan
[I] net-misc/strongswan
     Available versions:  5.1.3 (~)5.2.0-r1{tbz2} {+caps +constraints
     curl debug dhcp eap farp gcrypt ldap mysql networkmanager
     +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish
     strongswan_plugins_ccm strongswan_plugins_ctr
     strongswan_plugins_gcm strongswan_plugins_ha
     strongswan_plugins_ipseckey +strongswan_plugins_led
     +strongswan_plugins_lookip strongswan_plugins_ntru
     strongswan_plugins_padlock strongswan_plugins_rdrand
     +strongswan_plugins_systime-fix strongswan_plugins_unbound
     +strongswan_plugins_unity +strongswan_plugins_vici
     strongswan_plugins_whitelist}
     Installed versions:  5.2.0-r1{tbz2}(09:08:20 AM 09/15/2014)(caps
     constraints ldap non-root openssl pam strongswan_plugins_led
     strongswan_plugins_lookip strongswan_plugins_systime-fix
     strongswan_plugins_unity strongswan_plugins_vici -curl -debug
     -dhcp -eap -farp -gcrypt -mysql -networkmanager -pkcs11 -sqlite
     -strongswan_plugins_blowfish -strongswan_plugins_ccm
     -strongswan_plugins_ctr -strongswan_plugins_gcm
     -strongswan_plugins_ha -strongswan_plugins_ipseckey
     -strongswan_plugins_ntru -strongswan_plugins_padlock
     -strongswan_plugins_rdrand -strongswan_plugins_unbound
     -strongswan_plugins_whitelist)
     Homepage:            http://www.strongswan.org/
     Description:         IPsec-based VPN solution focused on security
     and ease of use, supporting IKEv1/IKEv2 and MOBIKE

equery uses strongswan
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for net-misc/strongswan-5.2.0-r1:
 U I
 + + caps                           : Use Linux capabilities library
 to control privilege
 + + constraints                    : Enable advanced X.509 constraint
 checking plugin.
 - - curl                           : Add support for client-side URL
 transfer library
 - - debug                          : Enable extra debug codepaths,
 like asserts and extra output. If you want to get meaningful
 backtraces see

http://www.gentoo.org/proj/en/qa/backtraces.xml
 - - dhcp                           : Enable server support for
 querying virtual IP addresses for clients from a DHCP server. (IKEv2
 only)
 - - eap                            : Enable support for the different
 EAP modules that is supported.
 - - farp                           : Enable faking of ARP responses
 for virtual IP addresses assigned to clients. (IKEv2 only)
 - - gcrypt                         : Enable dev-libs/libgcrypt plugin
 which provides 3DES, AES, Blowfish, Camellia, CAST, DES, Serpent and
 Twofish ciphers along with MD4, MD5 and
                                      SHA1/2 hash algorithms, RSA and
                                      DH groups 1,2,5,14-18 and
                                      22-24(4.4+). Also includes a
                                      software random number
                                      generator.
 + + ldap                           : Add LDAP support (Lightweight
 Directory Access Protocol)
 - - mysql                          : Add mySQL Database support
 - - networkmanager                 : Enable net-misc/networkmanager support
 + + non-root                       : Force IKEv1/IKEv2 daemons to
 normal user privileges. This might impose some restrictions mainly to
 the IKEv1 daemon. Disable only if you really require superuser privileges.
 + + openssl                        : Enable dev-libs/openssl plugin
 which is required for Elliptic Curve Cryptography (DH groups
 19-21,25,26) and ECDSA. Also provides 3DES, AES, Blowfish, Camellia,
 CAST, DES, IDEA and RC5 ciphers along with MD2, MD4, MD5 and SHA1/2
 hash algorithms, RSA and DH groups 1,2,5,14-18 and 22-24(4.4+)
 dev-libs/openssl has to be compiled with USE="-bindist".
 + + pam                            : Add support for PAM (Pluggable
 Authentication Modules) - DANGEROUS to arbitrarily flip
 - - pkcs11                         : Enable pkcs11 support.
 - - sqlite                         : Add support for sqlite -
embedded sql database
 - - strongswan_plugins_blowfish    : Enable support for the blowfish plugin.
 - - strongswan_plugins_ccm         : Enable support for the ccm plugin.
 - - strongswan_plugins_ctr         : Enable support for the ctr plugin.
 - - strongswan_plugins_gcm         : Enable support for the gcm plugin.
 - - strongswan_plugins_ha          : Enable support for the ha plugin.
 - - strongswan_plugins_ipseckey    : Enable support for the ipseckey plugin.
 + + strongswan_plugins_led         : Enable support for the led plugin.
 + + strongswan_plugins_lookip      : Enable support for the lookip plugin.
 - - strongswan_plugins_ntru        : Enable support for the ntru plugin.
 - - strongswan_plugins_padlock     : Enable support for the padlock plugin.
 - - strongswan_plugins_rdrand      : Enable support for the rdrand plugin.
 + + strongswan_plugins_systime-fix : Enable support for the systime-fix plugin.
 - - strongswan_plugins_unbound     : Enable support for the unbound plugin.
 + + strongswan_plugins_unity       : Enable support for the unity plugin.
 + + strongswan_plugins_vici        : Enable support for the vici plugin.
 - - strongswan_plugins_whitelist   : Enable support for the whitelist plugin.


Thanks
Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config.gz
Type: application/octet-stream
Size: 18895 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140916/474450f6/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: note-for-vti-help.org
Type: application/vnd.lotus-organizer
Size: 3531 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140916/474450f6/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140916/474450f6/attachment-0001.pgp>

More information about the Users mailing list