[strongSwan] Fwd: loading ip_vti breaks IPSec connection
Joe M
joe9mail at gmail.com
Thu Sep 18 17:01:38 CEST 2014
Hello,
I am trying to figure out how vti works with the latest stable kernel
(3.16.2) or rc kernel (3.17.x).
If anyone has a working vti tunnel with strongswan, Can you please
share your configuration?
Do you have "mark=" in ipsec.conf? Do you use iptables rules to set
the mark? What are your vti tunnel's ikey and okey values? How do the
vti tunnel's remote and local correspond to the values in ipsec.conf
(when the client's have different public ip's and subnets)?
I use a custom kernel (gentoo distro), and got the seed from
kernel-seeds.org. I am also attaching my kernel config (config.gz) if
you want to check it out.
uname -a
Linux master 3.16.2-dirty #89 SMP PREEMPT Sun Sep 14 14:30:59 CDT 2014
x86_64 Intel(R) Pentium(R) CPU G620 @ 2.60GHz GenuineIntel GNU/Linux
It is dirty as I have been trying to add printk's to figure out ip_vti
behaviour. I can also try tthe latest rc kernel if that is what you
are using.
Without loading ip_vti (and mark= in ipsec.conf), I can get the pings
to work through the IPSec tunnel. I think I am doing something wrong
with the vti setup. Not setting the mark, okey, ikey or iptables rules
properly.
I am also attaching the note I sent to Mr. Steffen (author of the
latest patches to kernel's ip_vti) looking for help. It has my
configuration and xfrm policy and state.
I am using strongswan 5.2.0. Below is the gentoo configuration of
strongswan, if it helps.
eix --exact strongswan
[I] net-misc/strongswan
Available versions: 5.1.3 (~)5.2.0-r1{tbz2} {+caps +constraints
curl debug dhcp eap farp gcrypt ldap mysql networkmanager
+non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish
strongswan_plugins_ccm strongswan_plugins_ctr
strongswan_plugins_gcm strongswan_plugins_ha
strongswan_plugins_ipseckey +strongswan_plugins_led
+strongswan_plugins_lookip strongswan_plugins_ntru
strongswan_plugins_padlock strongswan_plugins_rdrand
+strongswan_plugins_systime-fix strongswan_plugins_unbound
+strongswan_plugins_unity +strongswan_plugins_vici
strongswan_plugins_whitelist}
Installed versions: 5.2.0-r1{tbz2}(09:08:20 AM 09/15/2014)(caps
constraints ldap non-root openssl pam strongswan_plugins_led
strongswan_plugins_lookip strongswan_plugins_systime-fix
strongswan_plugins_unity strongswan_plugins_vici -curl -debug
-dhcp -eap -farp -gcrypt -mysql -networkmanager -pkcs11 -sqlite
-strongswan_plugins_blowfish -strongswan_plugins_ccm
-strongswan_plugins_ctr -strongswan_plugins_gcm
-strongswan_plugins_ha -strongswan_plugins_ipseckey
-strongswan_plugins_ntru -strongswan_plugins_padlock
-strongswan_plugins_rdrand -strongswan_plugins_unbound
-strongswan_plugins_whitelist)
Homepage: http://www.strongswan.org/
Description: IPsec-based VPN solution focused on security
and ease of use, supporting IKEv1/IKEv2 and MOBIKE
equery uses strongswan
[ Legend : U - final flag setting for installation]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for net-misc/strongswan-5.2.0-r1:
U I
+ + caps : Use Linux capabilities library
to control privilege
+ + constraints : Enable advanced X.509 constraint
checking plugin.
- - curl : Add support for client-side URL
transfer library
- - debug : Enable extra debug codepaths,
like asserts and extra output. If you want to get meaningful
backtraces see
http://www.gentoo.org/proj/en/qa/backtraces.xml
- - dhcp : Enable server support for
querying virtual IP addresses for clients from a DHCP server. (IKEv2
only)
- - eap : Enable support for the different
EAP modules that is supported.
- - farp : Enable faking of ARP responses
for virtual IP addresses assigned to clients. (IKEv2 only)
- - gcrypt : Enable dev-libs/libgcrypt plugin
which provides 3DES, AES, Blowfish, Camellia, CAST, DES, Serpent and
Twofish ciphers along with MD4, MD5 and
SHA1/2 hash algorithms, RSA and
DH groups 1,2,5,14-18 and
22-24(4.4+). Also includes a
software random number
generator.
+ + ldap : Add LDAP support (Lightweight
Directory Access Protocol)
- - mysql : Add mySQL Database support
- - networkmanager : Enable net-misc/networkmanager support
+ + non-root : Force IKEv1/IKEv2 daemons to
normal user privileges. This might impose some restrictions mainly to
the IKEv1 daemon. Disable only if you really require superuser privileges.
+ + openssl : Enable dev-libs/openssl plugin
which is required for Elliptic Curve Cryptography (DH groups
19-21,25,26) and ECDSA. Also provides 3DES, AES, Blowfish, Camellia,
CAST, DES, IDEA and RC5 ciphers along with MD2, MD4, MD5 and SHA1/2
hash algorithms, RSA and DH groups 1,2,5,14-18 and 22-24(4.4+)
dev-libs/openssl has to be compiled with USE="-bindist".
+ + pam : Add support for PAM (Pluggable
Authentication Modules) - DANGEROUS to arbitrarily flip
- - pkcs11 : Enable pkcs11 support.
- - sqlite : Add support for sqlite -
embedded sql database
- - strongswan_plugins_blowfish : Enable support for the blowfish plugin.
- - strongswan_plugins_ccm : Enable support for the ccm plugin.
- - strongswan_plugins_ctr : Enable support for the ctr plugin.
- - strongswan_plugins_gcm : Enable support for the gcm plugin.
- - strongswan_plugins_ha : Enable support for the ha plugin.
- - strongswan_plugins_ipseckey : Enable support for the ipseckey plugin.
+ + strongswan_plugins_led : Enable support for the led plugin.
+ + strongswan_plugins_lookip : Enable support for the lookip plugin.
- - strongswan_plugins_ntru : Enable support for the ntru plugin.
- - strongswan_plugins_padlock : Enable support for the padlock plugin.
- - strongswan_plugins_rdrand : Enable support for the rdrand plugin.
+ + strongswan_plugins_systime-fix : Enable support for the systime-fix plugin.
- - strongswan_plugins_unbound : Enable support for the unbound plugin.
+ + strongswan_plugins_unity : Enable support for the unity plugin.
+ + strongswan_plugins_vici : Enable support for the vici plugin.
- - strongswan_plugins_whitelist : Enable support for the whitelist plugin.
Thanks
Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config.gz
Type: application/octet-stream
Size: 18895 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140918/2d8e5a03/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: note-for-vti-help.org
Type: application/vnd.lotus-organizer
Size: 254 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140918/2d8e5a03/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 566 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140918/2d8e5a03/attachment-0001.pgp>
More information about the Users
mailing list