[strongSwan] Issuse with VTI packet forwarding .

Naveen Neelakanta naveen.b.neelakanta at gmail.com
Wed Nov 29 04:14:57 CET 2017 

Hi All,

Need some guidance and help in getting the traffic routed via VTI (
ipsec0 ) interface.I am using the VTI interface to just mark the
traffic and forward.

I am not able to get the traffic forwarding via VTI( ipsec0) interface
and getting the traffic marked, so that it gets protected.

i have the ipsec tunnel up with between two device. i see traffic send
from client interface reaching VTI interface , however its not getting
forwarded to eth3 , so that it gets protected.


Unix Device1:


eth3<————— ipsec0 ( vti )<———————vzsi


10.24.18.209       10.24.18.36           10.24.18.203



Routing rules on the device :


ip tunnel add ipsec0 local 10.24.18.36 remote 0.0.0.0 mode vti okey 32 ikey 32

ip link set ipsec0 up

ip route add default dev ipsec0 table zs-flow-table-inet

echo 1 > /proc/sys/net/ipv4/conf/ipsec0/disable_policy

echo 1 > /proc/sys/net/ipv4/conf/ipsec0/disable_xfrm

echo 300 zs-flow-table-inet >> /etc/iproute2/rt_tables



ip rule add iif vzsi-p table zs-flow-table-inet


ip route add default dev ipsec0 table zs-flow-table-inet

ip rule add iif ipsec0 table internet-eth3

ip rule add oif ipsec0 table internet-eth3

# ip route show table internet-eth3


  default via 10.24.18.210 dev eth3


The ipsec policy and sa config is present

SPD entry :


src 0.0.0.0/0 dst 0.0.0.0/0

dir fwd priority 3075

mark 32/0xffffffff

tmpl src 10.24.18.35 dst 10.24.18.209

proto esp reqid 1 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0

dir in priority 3075

mark 32/0xffffffff

tmpl src 10.24.18.35 dst 10.24.18.209

proto esp reqid 1 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0

dir out priority 3075

mark 32/0xffffffff

tmpl src 10.24.18.209 dst 10.24.18.35

         proto esp reqid 1 mode tunnel

SADB:

src 10.24.18.209 dst 10.24.18.35

proto esp spi 0xcfe2aa19 reqid 1 mode tunnel

replay-window 32 flag af-unspec

mark 32/0xffffffff

auth-trunc hmac(md5) 0x830c26f2a8fdaa2a1d6f82c9663f0bf3 96

enc ecb(cipher_null)

src 10.24.18.35 dst 10.24.18.209

proto esp spi 0xc377e262 reqid 1 mode tunnel

replay-window 32 flag af-unspec

mark 32/0xffffffff

auth-trunc hmac(md5) 0x99f7adff411b87cb04a652469b6132fd 96

        enc ecb(cipher_null)

Issue:

#ip -s tunnel s ipsec0

ipsec0: ip/ip  remote any  local 10.24.18.36  ttl inherit  key 32

RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts

    0          0            0      0        0        0

TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs


       0          0                             32          0
32           0

I see the traffic on the ipsec0 interface

#tcpdump -ni ipsec0

listening on ipsec0, link-type RAW (Raw IP), capture size 65535 bytes

02:18:03.237031 IP 10.24.18.203.52554 > 10.24.18.35.8888: Flags [S],
seq 3484231614, win 29200, options [mss 1460,sackOK,TS val 4061593203
ecr 0,nop,wscale 7], length 0

# ifconfig ipsec0

          ipsec0    Link encap:IPIP Tunnel  HWaddr

          UP RUNNING NOARP  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:32 dropped:0 overruns:0 carrier:32

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


Thanks,

Naveen

More information about the Users mailing list