[strongSwan] VTI with IPv4 over IPv6 Tunnel

Thu Jul 20 01:21:42 CEST 2017

Hello,

I have a working IPsec setup (IPv4 Net-Net over IPv6 Host-Host tunnel) 
including a properly configured firewall.
Its been running fine for some month, but now I have a new requirement 
that needs Virtual Transport Interfaces (VTI) on both sides of the tunnel.
Sadly I am really struggling with this part, having spend multiple days 
already trying to figure out why its not working.

Some useful information:

* Firewall is deactivated (accepting everything)
* Mangle table is empty
* StrongSwan 5.5.3
* Linux Kernel 4.4.X
* Using the following guide:
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN

The VTI name is ipsec0 and traffic is routed to the interface properly.
tcpdump shows lots of packets from 10.159.5.0/24 to 10.159.6.0/24 on 
interface ipsec0.
My problem is, that the VTI seems to be a *black hole* at the moment.
Packets just disappear in the tunnel interface and the RX error counter 
is rising quickly:

~ # ip -6 -s tunnel show ipsec0
ipsec0: ipv6/ipv6 remote ####:####:####:100::7 local 
####:####:####:2405::7 encaplimit 0 hoplimit 0 tclass 0x00 flowlabel 
0x00000 (flowinfo 0x00000000)
RX: Packets    Bytes *Errors* CsumErrs OutOfSeq Mcasts
     0            0 *1198*   0 0        0
TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
     358        56650        0         0        0        0

So far I have no idea whats going on and I tried changing options for 
days, always with the same results.
Maybe someone is running a similar setup and can provide some hints?
Is there a way to find out what exactly those errors are?

Many Thanks,
Benjamin

*Configuration:*
--------------------------------

# *strongswan.conf* - strongSwan configuration file

charon {
     load_modular = yes
*    install_routes = no*
     plugins {
         include strongswan.d/charon/*.conf
     }
}

include strongswan.d/*.conf

--------------------------------

#*ipsec.conf *- strongSwan IPsec configuration file

config setup

ca heliocloud
         cacert=#######.crt
         auto=add

conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=%forever
         keyexchange=ikev2
         mobike=no
         compress=yes

conn net-net
         also=host-host
         leftsubnet=10.159.5.0/24
         rightsubnet=10.159.6.0/24
         auto=start
*        mark=1*

conn host-host
         left=####:####:####:100::7
         leftcert=#######.crt
         right=####:####:####:2405::7
         auto=add

--------------------------------

modprobe ip6_vti
ip -6 tunnel add ipsec0 local ####:####:####:100::7 remote 
####:####:####:2405::7 mode vti6 *key 1*
ip link set ipsec0 up
ip route add 10.159.6.0/24 dev ipsec0

--------------------------------

3: ip6tnl0 at NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1
     link/tunnel6 :: brd ::
4: ip6_vti0 at NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default 
qlen 1
     link/tunnel6 :: brd ::
8: ipsec0 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue 
state UNKNOWN group default qlen 1
     link/tunnel6 ####:####:####:100::7 peer ####:####:####:2405::7
     inet6 fe80::2201:bff:fec8:2357/64 scope link
        valid_lft forever preferred_lft forever
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170720/ce3ee60d/attachment.html>