[strongSwan] Issuse with VTI packet forwarding

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 29 19:33:04 CET 2017


Hi,

Please follow the RouteBasedVPN article[1] to the letter and keep your routes in the main routing table
to keep it simple. As soon as you have a working setup, THEN you can start making changes.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN


On 29.11.2017 09:16, Naveen Neelakanta wrote:
> Hi All,
>
> Need some guidance and help in getting the traffic routed via VTI (
> ipsec0 ) interface.I am using the VTI interface to just mark the
> traffic and forward.
>
> I am not able to get the traffic forwarding via VTI( ipsec0) interface
> and getting the traffic marked, so that it gets protected.
>
> i have the ipsec tunnel up with between two device. i see traffic send
> from client interface reaching VTI interface , however its not getting
> forwarded to eth3 , so that it gets protected.
>
>
> Unix Device1:
>
>
> eth3<————— ipsec0 ( vti )<———————vzsi
>
>
> 10.24.18.209       10.24.18.36           10.24.18.203
>
>
>
> Routing rules on the device :
>
>
> ip tunnel add ipsec0 local 10.24.18.36 remote 0.0.0.0 mode vti okey 32 ikey 32
>
> ip link set ipsec0 up
>
> ip route add default dev ipsec0 table zs-flow-table-inet
>
> echo 1 > /proc/sys/net/ipv4/conf/ipsec0/disable_policy
>
> echo 1 > /proc/sys/net/ipv4/conf/ipsec0/disable_xfrm
>
> echo 300 zs-flow-table-inet >> /etc/iproute2/rt_tables
>
>
>
> ip rule add iif vzsi-p table zs-flow-table-inet
>
>
> ip route add default dev ipsec0 table zs-flow-table-inet
>
> ip rule add iif ipsec0 table internet-eth3
>
> ip rule add oif ipsec0 table internet-eth3
>
> # ip route show table internet-eth3
>
>
>   default via 10.24.18.210 dev eth3
>
>
> The ipsec policy and sa config is present
>
> SPD entry :
>
>
> src 0.0.0.0/0 dst 0.0.0.0/0
>
> dir fwd priority 3075
>
> mark 32/0xffffffff
>
> tmpl src 10.24.18.35 dst 10.24.18.209
>
> proto esp reqid 1 mode tunnel
>
> src 0.0.0.0/0 dst 0.0.0.0/0
>
> dir in priority 3075
>
> mark 32/0xffffffff
>
> tmpl src 10.24.18.35 dst 10.24.18.209
>
> proto esp reqid 1 mode tunnel
>
> src 0.0.0.0/0 dst 0.0.0.0/0
>
> dir out priority 3075
>
> mark 32/0xffffffff
>
> tmpl src 10.24.18.209 dst 10.24.18.35
>
>          proto esp reqid 1 mode tunnel
>
> SADB:
>
> src 10.24.18.209 dst 10.24.18.35
>
> proto esp spi 0xcfe2aa19 reqid 1 mode tunnel
>
> replay-window 32 flag af-unspec
>
> mark 32/0xffffffff
>
> auth-trunc hmac(md5) 0x830c26f2a8fdaa2a1d6f82c9663f0bf3 96
>
> enc ecb(cipher_null)
>
> src 10.24.18.35 dst 10.24.18.209
>
> proto esp spi 0xc377e262 reqid 1 mode tunnel
>
> replay-window 32 flag af-unspec
>
> mark 32/0xffffffff
>
> auth-trunc hmac(md5) 0x99f7adff411b87cb04a652469b6132fd 96
>
>         enc ecb(cipher_null)
>
> Issue:
>
> #ip -s tunnel s ipsec0
>
> ipsec0: ip/ip  remote any  local 10.24.18.36  ttl inherit  key 32
>
> RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
>
>     0          0            0      0        0        0
>
> TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
>
>
>        0          0                             32          0
> 32           0
>
> I see the traffic on the ipsec0 interface
>
> #tcpdump -ni ipsec0
>
> listening on ipsec0, link-type RAW (Raw IP), capture size 65535 bytes
>
> 02:18:03.237031 IP 10.24.18.203.52554 > 10.24.18.35.8888: Flags [S],
> seq 3484231614, win 29200, options [mss 1460,sackOK,TS val 4061593203
> ecr 0,nop,wscale 7], length 0
>
> # ifconfig ipsec0
>
>           ipsec0    Link encap:IPIP Tunnel  HWaddr
>
>           UP RUNNING NOARP  MTU:1500  Metric:1
>
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>
>           TX packets:0 errors:32 dropped:0 overruns:0 carrier:32
>
>           collisions:0 txqueuelen:0
>
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
>
> Thanks,
>
> Naveen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171129/e192c7a5/attachment.sig>


More information about the Users mailing list