[strongSwan] VTI device and strongswan ikev2 issue

Miroslav Hostinsky bman at tls.sk
Wed Nov 22 16:47:54 CET 2017 

Hello,

I have an issue configuring StrongSwan with VTI interface as 
roadwarrior. This is my configuration:

ipsec.conf:

config setup

conn %default
   keyexchange=ikev2
   ikelifetime=60m
   keylife=20m
   rekeymargin=3m
   rekey=no
   dpdaction=restart
   dpddelay=30s
   compress=yes
   auto=start

conn acnnet
   leftupdown=/usr/local/sbin/ipsec-notify.sh
   left=%defaultroute
   leftauth=eap
   leftsourceip=%config4,%config6
   rightauth=pubkey
   rightsubnet=0.0.0.0/0,::/0
   eap_identity=%identity
   leftid=bman
   right=mailer.domena.sk
   rightid=@mailer.mailer.sk
   mark=28

VTI interface is configured using lefupdown script (real commands 
executed):

ip tunnel add vti1 local 85.105.254.225 remote 185.210.28.63 mode vti 
key 28 ikey 28
ip link set vti1 up
ip addr add 192.168.228.10 dev vti1
ip route add 74.99.179.0/24 dev vti1
sysctl -w net.ipv4.conf.vti1.disable_policy=1

It seems that outgoing connection via vti1 interface is working 
(outgoing ICMP echo request to subnet 74.99.179.0/24 ). But I am unable 
to receive ICMP echo reply. Using tcpdump I can clearly see, that IPSEC 
encrypted ICMP echo reply is returning via physical interface, but not 
via vti1.


I found, that, TX bytes is correctly counted via vti1, but RX shows 
errors (it seems that each ICMP echo reply packet is counted as +1 
error):

# ip -s tunnel show
vti1: ip/ip  remote 185.210.28.63  local 85.105.254.225 ttl inherit  key 
28
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
     0          0            805    0        0 0
TX: Packets    Bytes        Errors DeadLoop NoRoute NoBufs
     401        68170        0      0        0 0
ip_vti0: ip/ip  remote any  local any  ttl inherit nopmtudisc key 0
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
     0          0            0      0        0 0
TX: Packets    Bytes        Errors DeadLoop NoRoute NoBufs
     0          0            0      0        0 0

It seems that, RX Errors on vti1 are currently missing ICMP echo reply 
packets. But is counted as RX errors, not RX received packets.

Do you have any idea what's wrong?

I am using Centos 7.4 with strongswan-5.5.3-1.el7.x86_64 from EPEL. A 
tried with same result on Archlinux (kernel 4.9 and strongswan 5.6.0).

Route installation is disabled in charon.conf.

Normal connection using Virtual IP is working great.


Thank you very much for any help.


BR,

Miroslav

More information about the Users mailing list