[strongSwan] VTI with IPv4 over IPv6 Tunnel

Benjamin Beier benjamin.beier at heliocloud.net
Fri Jul 21 00:59:02 CEST 2017 

Actually I just need the interfaces so OSPF is happy.
After wasting some more hours of time with VTIs, I decided to try GRE 
and well... it just works. :)
Though I have heard and read that GRE is considered quite a dirty protocol.
I also heard that Libreswan provides better support for VTIs than 
Strongswan.
But for now I am sticking with the solution I have.

Thanks for the hints.
Benjamin

On 07/20/2017 04:08 AM, Eric Germann wrote:
> What’s your use case?  Could you accomplish it with GRE tunnels as P2P 
> tunnels?
>
> I run a global backbone connecting AWS regions together for $DAYJOB. 
>  We run BGP and routing over GRE tunnels.  The GRE packets are then 
> encrypted by Strongswan.
>
> EKG
>
>> On Jul 19, 2017, at 7:21 PM, Benjamin Beier 
>> <benjamin.beier at heliocloud.net 
>> <mailto:benjamin.beier at heliocloud.net>> wrote:
>>
>> Hello,
>>
>> I have a working IPsec setup (IPv4 Net-Net over IPv6 Host-Host 
>> tunnel) including a properly configured firewall.
>> Its been running fine for some month, but now I have a new 
>> requirement that needs Virtual Transport Interfaces (VTI) on both 
>> sides of the tunnel.
>> Sadly I am really struggling with this part, having spend multiple 
>> days already trying to figure out why its not working.
>>
>> Some useful information:
>>
>> * Firewall is deactivated (accepting everything)
>> * Mangle table is empty
>> * StrongSwan 5.5.3
>> * Linux Kernel 4.4.X
>> * Using the following guide:
>> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>>
>> The VTI name is ipsec0 and traffic is routed to the interface properly.
>> tcpdump shows lots of packets from 10.159.5.0/24 to 10.159.6.0/24 on 
>> interface ipsec0.
>> My problem is, that the VTI seems to be a *black hole* at the moment.
>> Packets just disappear in the tunnel interface and the RX error 
>> counter is rising quickly:
>>
>> ~ # ip -6 -s tunnel show ipsec0
>> ipsec0: ipv6/ipv6 remote ####:####:####:100::7 local 
>> ####:####:####:2405::7 encaplimit 0 hoplimit 0 tclass 0x00 flowlabel 
>> 0x00000 (flowinfo 0x00000000)
>> RX: Packets    Bytes *Errors* CsumErrs OutOfSeq Mcasts
>>     0            0 *1198* 0        0        0
>> TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
>>     358        56650        0         0 0        0
>>
>> So far I have no idea whats going on and I tried changing options for 
>> days, always with the same results.
>> Maybe someone is running a similar setup and can provide some hints?
>> Is there a way to find out what exactly those errors are?
>>
>> Many Thanks,
>> Benjamin
>>
>> *Configuration:*
>> --------------------------------
>>
>> # *strongswan.conf* - strongSwan configuration file
>>
>> charon {
>>     load_modular = yes
>> *    install_routes = no*
>>     plugins {
>>         include strongswan.d/charon/*.conf
>>     }
>> }
>>
>> include strongswan.d/*.conf
>>
>> --------------------------------
>>
>> #*ipsec.conf *- strongSwan IPsec configuration file
>>
>> config setup
>>
>> ca heliocloud
>>         cacert=#######.crt
>>         auto=add
>>
>> conn %default
>>         ikelifetime=60m
>>         keylife=20m
>>         rekeymargin=3m
>>         keyingtries=%forever
>>         keyexchange=ikev2
>>         mobike=no
>>         compress=yes
>>
>> conn net-net
>>         also=host-host
>>         leftsubnet=10.159.5.0/24
>>         rightsubnet=10.159.6.0/24
>>         auto=start
>> *        mark=1*
>>
>> conn host-host
>>         left=####:####:####:100::7
>>         leftcert=#######.crt
>>         right=####:####:####:2405::7
>>         auto=add
>>
>> --------------------------------
>>
>> modprobe ip6_vti
>> ip -6 tunnel add ipsec0 local ####:####:####:100::7 remote 
>> ####:####:####:2405::7 mode vti6 *key 1*
>> ip link set ipsec0 up
>> ip route add 10.159.6.0/24 dev ipsec0
>>
>> --------------------------------
>>
>> 3: ip6tnl0 at NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default 
>> qlen 1
>>     link/tunnel6 :: brd ::
>> 4: ip6_vti0 at NONE: <NOARP> mtu 1500 qdisc noop state DOWN group 
>> default qlen 1
>>     link/tunnel6 :: brd ::
>> 8: ipsec0 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc 
>> noqueue state UNKNOWN group default qlen 1
>>     link/tunnel6 ####:####:####:100::7 peer ####:####:####:2405::7
>>     inet6 fe80::2201:bff:fec8:2357/64 scope link
>>        valid_lft forever preferred_lft forever
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170721/e652bdcf/attachment-0001.html>

More information about the Users mailing list