[strongSwan] Traffic on VTI interface is routed back through VTI
Oscar
strongswan-users at kene.nu
Fri Apr 6 14:40:17 CEST 2018
Hello,
My setup is as follows:
(10.1.48.0/23) R1<-(vlan)->R2<-(ipsec)->R3 (10.46.0.0/16)
Traffic from R1 that is destined for something behind R3 is correctly
forwarded by R2 through the ipsec vti tunnel but the return traffic is not
forwarded by R2 to R3 but instead it is forwarded back to R3. This
effectively causes lots of bouncing of traffic between R2 and R3.
I am using a vti interface with marks to enable route based ipsec as I am
running BGP on all routers. It feels like R2 still uses the policies to
route traffic in and out of the vti tunnel as whenI change the rightsubnet
to 10.46.0.0/16 it all works.
ipsec.conf:
config setup
conn %default
aggressive = no
closeaction = restart
compress = no
dpdaction = restart
dpddelay = 10s
dpdtimeout = 30s
esp = aes128-sha256-modp2048s256,aes128-sha1-modp1024!
ike = aes256-sha256-modp2048s256,aes128-sha1-modp1024!
ikelifetime = 28800s
installpolicy = yes
lifetime = 3600s
mobike = no
reauth = no
rekey = yes
leftauth = psk
rightauth = psk
leftsubnet = 0.0.0.0/0
rightsubnet = 0.0.0.0/0
leftupdown = /etc/strongswan.d/ipsec-vti.sh
conn prod
auto = start
type = tunnel
mark = 991
left = 149.1.1.1
right = 51.1.1.1
keyexchange = ikev2
charon.conf:
charon {
install_routes = no
}
Other useful info:
# iptables -nL -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
MARK esp -- 51.1.1.1 149.1.1.1 MARK set 0x3df
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
# ifconfig vti1
vti1 Link encap:IPIP Tunnel HWaddr
inet addr:172.29.253.80 P-t-P:10.46.0.254 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1350 Metric:1
RX packets:5210 errors:0 dropped:0 overruns:0 frame:0
TX packets:5201 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:402059 (402.0 KB) TX bytes:405173 (405.1 KB)
# cat /etc/strongswan.d/ipsec-vti.sh
#!/bin/bash
IP=$(which ip)
IPTABLES=$(which iptables)
SYSCTL=$(which sysctl)
case "$PLUTO_CONNECTION" in
prod)
VTI_INTERFACE=vti1
VTI_LOCALADDR=172.29.253.80
VTI_REMOTEADDR=10.46.0.254
MARK_IN=$(echo $PLUTO_MARK_IN | grep -o -E "^[0-9]+")
MARK_OUT=$(echo $PLUTO_MARK_OUT | grep -o -E "^[0-9]+")
;;
esac
case "${PLUTO_VERB}" in
up-client)
echo "uping interface ${VTI_INTERFACE}"
$IP link add ${VTI_INTERFACE} type vti local ${PLUTO_ME} remote
${PLUTO_PEER} ikey ${MARK_IN} okey ${MARK_OUT}
$SYSCTL -w net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1
$SYSCTL -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2 || $SYSCTL -w
net.ipv4.conf.${VTI_INTERFACE}.rp_filter=0
$IP addr add ${VTI_LOCALADDR} remote ${VTI_REMOTEADDR} dev
${VTI_INTERFACE}
$IP link set ${VTI_INTERFACE} up mtu 1350
$IPTABLES -t mangle -I FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -t mangle -I INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME}
-j MARK --set-xmark ${MARK_IN}
$IP route flush table 220
;;
down-client)
echo "downing interface ${VTI_INTERFACE}"
$IP link del ${VTI_INTERFACE}
$IPTABLES -t mangle -D FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -t mangle -D INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME}
-j MARK --set-xmark ${MARK_IN}
;;
esac
# Enable IPv4 forwarding
$SYSCTL -w net.ipv4.ip_forward=1
$SYSCTL -w net.ipv4.conf.ens5.disable_xfrm=1
$SYSCTL -w net.ipv4.conf.ens5.disable_policy=1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180406/1722a867/attachment.html>
More information about the Users
mailing list