[strongSwan] VTI's as initiator?
Ruel, Ryan
rruel at akamai.com
Thu Jul 28 14:15:31 CEST 2016
I'm trying to establish a VTI using strongSwan as an initiator, and am running into some trouble. I've been able to use VTI's with strongSwan acting as a responder (using a Cisco router as an initiator).
I'm running strongSwan 5.4.0 on Ubuntu 15.10 (Kernel 4.2.0-36-generic).
My ipsec.conf is configured as follows:
conn %default
authby=secret
keyexchange=ikev2
mobike=no
conn initiator
leftupdown=/usr/local/etc/vti.sh
authby=secret
keyexchange=ikev1
aggressive=yes
left=192.168.73.145
leftid=user1 at test-domain.com
right=192.168.131.130
rightid=%any
ike=3des-md5-modp1024
esp=null-md5-noesn!
auto=add
For test purposes, I'm just bringing up the tunnel manually (ipsec up initiator) and I'm using NULL encryption for easier debugging for now.
My /usr/local/etc/vti.sh up/down script looks as follows. I'm forcing the vti name to be vti1 for consistency between tests:
#!/bin/bash
# VTI Interface gets name based on the unique ID passed in from strongSwan
#VTI_IF="vti${PLUTO_UNIQUEID}"
# Force it to use VTI1
VTI_IF="vti1"
# Private subnet
PRIVATE_SUBNET="10.1.1.0/24"
debug=/tmp/debug.txt
echo "PLUTO_VERB ${PLUTO_VERB}" > "$debug"
echo "VTI_IF ${VTI_IF}" >> "$debug"
echo "PLUTO_MARK_OUT ${PLUTO_MARK_OUT%%/*}" >> "$debug"
echo "PLUTO_MARK_IN ${PLUTO_MARK_IN%%/*}" >> "$debug"
echo "PLUTO_ME ${PLUTO_ME}" >> "$debug"
echo "PLUTO_PEER ${PLUTO_PEER}" >> "$debug"
case "${PLUTO_VERB}" in
up-host)
echo "up-host" >> "$debug"
# Create the tunnel from us to the peer using a "key" of the mark from mark=<value> in ipsec.conf
#ip link add "${VTI_IF}" type vti key "${PLUTO_MARK_OUT%%/*}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" >> "$debug"
ip link add "${VTI_IF}" type vti local "${PLUTO_ME}" remote "${PLUTO_PEER}" >> "$debug"
ip link set "${VTI_IF}" up >> "$debug"
ip addr add "${PLUTO_ME}" dev "${VTI_IF}" >> "$debug"
# Add any desired routes over the tunnel
ip route add "${PRIVATE_SUBNET}" dev "${VTI_IF}"
# Disable policy checks for this interface, otherwise the Kernel will drop the traffic after decryption.
sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1" >> "$debug"
# Disable RP filter for the tunnel interface
sysctl -w "net.ipv4.conf.${VTI_IF}.rp_filter=0" >> "$debug"
;;
down-host)
ip link del "${VTI_IF}" >> "$debug"
ip route del "${PRIVATE_SUBNET}" >& /dev/null
;;
esac
I had to remove the "key" piece of the "ip link add" command, as the PLUTO_MARK_OUT and
PLUTO_MARK_IN variables (which get set when responder) are not set.
My debug output shows the following variables getting set by strongSwan:
root at testclient:/tmp# more debug.txt
PLUTO_VERB up-host
VTI_IF vti1
PLUTO_MARK_OUT
PLUTO_MARK_IN
PLUTO_ME 192.168.73.145
PLUTO_PEER 192.168.131.130
up-host
net.ipv4.conf.vti1.disable_policy = 1
net.ipv4.conf.vti1.rp_filter = 0
With the above script and configuration, everything seems to come up just fine, but I can't actually pass any traffic through the VTI. I see the error count increment on the Linux interface:
vti1 Link encap:IPIP Tunnel HWaddr
inet addr:192.168.73.145 P-t-P:192.168.73.145 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:7 dropped:0 overruns:0 carrier:7
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
What am I missing?
/Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160728/c28e04aa/attachment-0001.html>
More information about the Users
mailing list