[strongSwan] VTI with IPv4 over IPv6 Tunnel

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jul 21 21:54:35 CEST 2017 

Hi Bejnamin,

On 21.07.2017 00:59, Benjamin Beier wrote:
> Actually I just need the interfaces so OSPF is happy.
> After wasting some more hours of time with VTIs, I decided to try GRE and well... it just works. :)
> Though I have heard and read that GRE is considered quite a dirty protocol.

Not so dirty, but it has more overhead than a VTI. Make sure you fix the MSS for TCP connections going over the tunnel and lower the MTU manually.

> I also heard that Libreswan provides better support for VTIs than Strongswan.

Blah. They just build some stuff into pluto to build them and tear them down automatically, which is obviously not something you want.
I don't even see any reason anybody would want that for a site-to-site tunnel.

Kind regards

Noel

> But for now I am sticking with the solution I have.
>
> Thanks for the hints.
> Benjamin
>
> On 07/20/2017 04:08 AM, Eric Germann wrote:
>> What’s your use case?  Could you accomplish it with GRE tunnels as P2P tunnels?
>>
>> I run a global backbone connecting AWS regions together for $DAYJOB.  We run BGP and routing over GRE tunnels.  The GRE packets are then encrypted by Strongswan.
>>
>> EKG
>>
>>> On Jul 19, 2017, at 7:21 PM, Benjamin Beier <benjamin.beier at heliocloud.net <mailto:benjamin.beier at heliocloud.net>> wrote:
>>>
>>> Hello,
>>>
>>> I have a working IPsec setup (IPv4 Net-Net over IPv6 Host-Host tunnel) including a properly configured firewall.
>>> Its been running fine for some month, but now I have a new requirement that needs Virtual Transport Interfaces (VTI) on both sides of the tunnel.
>>> Sadly I am really struggling with this part, having spend multiple days already trying to figure out why its not working.
>>>
>>> Some useful information:
>>>
>>> * Firewall is deactivated (accepting everything)
>>> * Mangle table is empty
>>> * StrongSwan 5.5.3
>>> * Linux Kernel 4.4.X
>>> * Using the following guide:
>>>     https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>>>
>>> The VTI name is ipsec0 and traffic is routed to the interface properly.
>>> tcpdump shows lots of packets from 10.159.5.0/24 to 10.159.6.0/24 on interface ipsec0.
>>> My problem is, that the VTI seems to be a *black hole* at the moment.
>>> Packets just disappear in the tunnel interface and the RX error counter is rising quickly:
>>>
>>> ~ # ip -6 -s tunnel show ipsec0
>>> ipsec0: ipv6/ipv6 remote ####:####:####:100::7 local ####:####:####:2405::7 encaplimit 0 hoplimit 0 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
>>> RX: Packets    Bytes        *Errors* CsumErrs OutOfSeq Mcasts
>>>     0            0                *1198*   0        0        0      
>>> TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
>>>     358        56650        0         0        0        0
>>>
>>> So far I have no idea whats going on and I tried changing options for days, always with the same results.
>>> Maybe someone is running a similar setup and can provide some hints?
>>> Is there a way to find out what exactly those errors are?
>>>
>>> Many Thanks,
>>> Benjamin
>>>
>>> *Configuration:*
>>> --------------------------------
>>>
>>> # *strongswan.conf* - strongSwan configuration file
>>>
>>> charon {
>>>     load_modular = yes
>>> *    install_routes = no*
>>>     plugins {
>>>         include strongswan.d/charon/*.conf
>>>     }
>>> }
>>>
>>> include strongswan.d/*.conf
>>>
>>> --------------------------------
>>>
>>> #*ipsec.conf *- strongSwan IPsec configuration file
>>>
>>> config setup
>>>
>>> ca heliocloud
>>>         cacert=#######.crt
>>>         auto=add
>>>
>>> conn %default
>>>         ikelifetime=60m
>>>         keylife=20m
>>>         rekeymargin=3m
>>>         keyingtries=%forever
>>>         keyexchange=ikev2
>>>         mobike=no
>>>         compress=yes
>>>
>>> conn net-net
>>>         also=host-host
>>>         leftsubnet=10.159.5.0/24
>>>         rightsubnet=10.159.6.0/24
>>>         auto=start
>>> *        mark=1*
>>>
>>> conn host-host
>>>         left=####:####:####:100::7
>>>         leftcert=#######.crt
>>>         right=####:####:####:2405::7
>>>         auto=add
>>>
>>> --------------------------------
>>>
>>> modprobe ip6_vti
>>> ip -6 tunnel add ipsec0 local ####:####:####:100::7 remote ####:####:####:2405::7 mode vti6 *key 1*
>>> ip link set ipsec0 up
>>> ip route add 10.159.6.0/24 dev ipsec0
>>>
>>> --------------------------------
>>>
>>> 3: ip6tnl0 at NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1
>>>     link/tunnel6 :: brd ::
>>> 4: ip6_vti0 at NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1
>>>     link/tunnel6 :: brd ::
>>> 8: ipsec0 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1
>>>     link/tunnel6 ####:####:####:100::7 peer ####:####:####:2405::7
>>>     inet6 fe80::2201:bff:fec8:2357/64 scope link
>>>        valid_lft forever preferred_lft forever
>>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170721/fdb7ccce/attachment.sig>

More information about the Users mailing list