[strongSwan] Shared VTI device configuration
Aleksey Zolotukhin
jakal66 at gmail.com
Sat Jun 15 21:00:33 CEST 2019
Hello,
Sorry for disturbing.
I try to start using IPSec VTI technology with single shared VTI device
on Centos 7 with several pfSense routers as roadwarriors.
I want to implement this approach because prefer using dynamic routing
with help of OSPF or BGP protocols.
Aside this the way of setting tunnels over IPSec+GRE works but it looks
more like a conglomeration of different methods for reaching a desired
instead of using something simple.
Despite on the fact of simple configuration and good documentation
describing how to run shared VTI device on Linux, I have not been able
to implement my plan for several weeks.
That is why I have decided to ask for your help.
Here is the config of VPN gateway on Centos 7:
1. iproute2
> # ip tunnel show
> ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0
> ipsec0: ip/ip remote any local <public gateway IP address> ttl
> inherit key 2
>
> # ip add show ipsec0
> 5: ipsec0 at NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state
> UNKNOWN group default qlen 1000
> link/ipip <public gateway IP address> brd 0.0.0.0
> inet 10.10.50.1/24 scope global ipsec0
> valid_lft forever preferred_lft forever
>
> # ip xfrm state
> src <public gateway IP address> dst <public alice IP address>
> proto esp spi 0xc02a1647 reqid 1 mode tunnel
> replay-window 0 flag af-unspec
> mark 0x2/0xffffffff
> auth-trunc hmac(sha256)
> 0xf4bebd29572077ffd2de2fd94ef5789db9a64bc0d0486840944d8c151ddb1a00 128
> enc cbc(aes) 0x3e53b08a64734a080f88ea29c1c4d8d5
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> src <public alice IP address> dst <public gateway IP address>
> proto esp spi 0xc143c654 reqid 1 mode tunnel
> replay-window 32 flag af-unspec
> auth-trunc hmac(sha256)
> 0x2685a694d1bba26d113396f34611f31ec19ee7ac8b132a535d6772132616bdd1 128
> enc cbc(aes) 0xda453318ab6c3c8a8a15bed3addff236
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> src <public gateway IP address> dst <public bob IP address>
> proto esp spi 0xca6589d4 reqid 1 mode tunnel
> replay-window 0 flag af-unspec
> mark 0x2/0xffffffff
> auth-trunc hmac(sha256)
> 0x57fcc86f599da0bce04558007094a87e43ad5541539b540146297d266b838c09 128
> enc cbc(aes) 0xb48066ff05c8de3a8cab2ff7fa64b3fa
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> src <public bob IP address> dst <public gateway IP address>
> proto esp spi 0xc8cad11b reqid 1 mode tunnel
> replay-window 32 flag af-unspec
> auth-trunc hmac(sha256)
> 0x362e088f0d60b4204bde527674952cc80f4855b033d22625c3f2124b3d022d37 128
> enc cbc(aes) 0x4f00332b9392bd69cc3c5bfc0de2b1f2
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
2. strongswan.conf
> charon {
> load_modular = yes
> # Install routes into a separate routing table for
> established IPSec tunnels.
> install_routes = no
>
> # Install virtual IP addresses.
> install_virtual_ip = no
>
> plugins {
> include strongswan.d/charon/*.conf
> }
> }
3. ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> config setup
> uniqueids=never
> charondebug="cfg 1, dmn 1, ike 1, net 0"
>
> conn %default
> leftauth=pubkey
> rightauth=pubkey
> ike=aes128-sha2_256-modp2048!
> ikelifetime=28800s
> aggressive=no
> esp=aes128-sha2_256-modp2048!
> lifetime=3600s
> type=tunnel
> dpddelay=20s
> dpdtimeout=30s
> dpdaction=restart
> keyexchange=ikev2
> rekey=yes
> reauth=no
> closeaction=restart
> leftsubnet=0.0.0.0/0
> rightsubnet=0.0.0.0/0
> installpolicy=yes
> compress=no
> mobike=no
>
> conn alice
> auto=route
> leftid=@vpn.routers.example.com
> leftcert=vpn.routers.example.com.crt
> right=%any
> rightid=@alice.routers.example.com
> mark=2
>
> conn bob
> auto=route
> leftid=@vpn.routers.example.com
> leftcert=vpn.routers.example.com.crt
> right=%any
> rightid=@bob.routers.example.com
> mark=2
4. swanctl output:
> # swanctl --list-sas
> alice: #2, ESTABLISHED, IKEv2, 8024abf57579427c_i d9f6a862d18493a9_r*
> local 'vpn.routers.example.com' @ xxx.xxx.xx.xx[500]
> remote 'alice.routers.example.com' @ yyy.yyy.yyy.yy[500]
> AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> established 4s ago, rekeying in 27954s
> gateway-ekb: #2, reqid 1, INSTALLED, TUNNEL,
> ESP:AES_CBC-128/HMAC_SHA2_256_128
> installed 4s ago, rekeying in 2541s, expires in 3596s
> in c143c654 (0x00000002), 0 bytes, 0 packets
> out c02a1647 (0x00000002), 0 bytes, 0 packets
> local 0.0.0.0/0
> remote 0.0.0.0/0
> bob: #1, ESTABLISHED, IKEv2, 239d807fda28ae2f_i d66b0d9da8df6668_r*
> local 'vpn.routers.example.com' @ xxx.xxx.xx.xx[500]
> remote 'bob.routers.example.com' @ zz.zzz.zz.zz[500]
> AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> established 8s ago, rekeying in 27769s
> gateway-krk: #1, reqid 1, INSTALLED, TUNNEL,
> ESP:AES_CBC-128/HMAC_SHA2_256_128
> installed 8s ago, rekeying in 2657s, expires in 3592s
> in c8cad11b (0x00000002), 0 bytes, 0 packets
> out ca6589d4 (0x00000002), 0 bytes, 0 packets
> local 0.0.0.0/0
> remote 0.0.0.0/0
5.
Here is the config of Alice that is used on pfSense (config of Bob is
equal except IP addresses and certificates):
1. ipsec.conf:
> conn gateway
> reqid = 2000
> fragmentation = yes
> keyexchange = ikev2
> reauth = yes
> forceencaps = no
> mobike = no
>
> rekey = no
> installpolicy = no
>
> dpdaction = restart
> dpddelay = 10s
> dpdtimeout = 60s
> auto = start
> left = 188.234.247.71
> right = vpn.routers.example.com
> leftid = fqdn:alice.routers.example.com
> ikelifetime = 28800s
> lifetime = 3600s
> ike = aes128-sha256-modp2048!
> esp = aes128-sha256-modp2048,aes128gcm128-sha256-modp2048!
> leftauth = pubkey
> rightauth = pubkey
> leftcert=/var/etc/ipsec/ipsec.d/certs/cert-2.crt
> leftsendcert=always
> rightca="<some content>"
> rightid = fqdn:vpn.routers.example.com
> rightsubnet = 10.10.50.1,0.0.0.0/0
> leftsubnet = 10.10.50.2/24,0.0.0.0/0
2. strongswan.conf
> starter {
> load_warning = no
> config_file = /var/etc/ipsec/ipsec.conf
> }
>
> charon {
> # number of worker threads in charon
> threads = 16
> ikesa_table_size = 32
> ikesa_table_segments = 4
> init_limit_half_open = 1000
> install_routes = no
> load_modular = yes
> ignore_acquire_ts = yes
>
>
> cisco_unity = no
>
>
>
> syslog {
> identifier = charon
> # log everything under daemon since it ends up in
> the same place regardless with our syslog.conf
> daemon {
> ike_name = yes
> dmn = 1
> mgr = 1
> ike = 2
> chd = 2
> job = 1
> cfg = 2
> knl = 1
> net = 1
> asn = 1
> enc = 1
> imc = 1
> imv = 1
> pts = 1
> tls = 1
> esp = 1
> lib = 1
>
> }
> # disable logging under auth so logs aren't duplicated
> auth {
> default = -1
> }
> }
>
> plugins {
> # Load defaults
> include /var/etc/ipsec/strongswan.d/charon/*.conf
>
> stroke {
> secrets_file = /var/etc/ipsec/ipsec.secrets
> }
>
> unity {
> load = no
> }
>
> }
> }
The issue is a weird behavior, which reasons I cannot guess.
I configured Centos 7 and created shared VTI device according to the
documentation of Strongswan. I set up IPSec VTI on pfSense routers and
they can establish connections.
However, when Alice connects to VPN gateway I see the following XFRM policy:
> # ip xfrm policy
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir out priority 399999 ptype main
> mark 0x2/0xffffffff
> tmpl src <public gateway IP address> dst <public alice IP address>
> proto esp spi 0xc02a1647 reqid 1 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir fwd priority 399999 ptype main
> mark 0x2/0xffffffff
> tmpl src <public alice IP address> dst <public gateway IP address>
> proto esp reqid 1 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir in priority 399999 ptype main
> mark 0x2/0xffffffff
> tmpl src <public alice IP address> dst <public gateway IP address>
> proto esp reqid 1 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0 ptype main
> src ::/0 dst ::/0
> socket in priority 0 ptype main
> src ::/0 dst ::/0
> socket out priority 0 ptype main
> src ::/0 dst ::/0
> socket in priority 0 ptype main
> src ::/0 dst ::/0
> socket out priority 0 ptype main
and I can ping endpoints of the tunnel and even resources behind them if
static routes are specified.
But if Bob connects to the gateway after Alice the XFRM policy is being
changed:
> # ip xfrm policy
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir out priority 399999 ptype main
> mark 0x2/0xffffffff
> tmpl src <public gateway IP address> dst <public bob IP address>
> proto esp spi 0xc17ca64f reqid 1 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir fwd priority 399999 ptype main
> mark 0x2/0xffffffff
> tmpl src <public bob IP address> dst <public gateway IP address>
> proto esp reqid 1 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir in priority 399999 ptype main
> mark 0x2/0xffffffff
> tmpl src <public bob IP address> dst <public gateway IP address>
> proto esp reqid 1 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0 ptype main
> src ::/0 dst ::/0
> socket in priority 0 ptype main
> src ::/0 dst ::/0
> socket out priority 0 ptype main
> src ::/0 dst ::/0
> socket in priority 0 ptype main
> src ::/0 dst ::/0
> socket out priority 0 ptype main
That means that traffic between the gateway and Alice stops passing but
traffic between the gateway and Bob starts going.
If connections are established to the gateway in opposite order the
behavior is the same.
The goal is to use one shared VTI device for both simultaneous connections.
Perhaps my eyes are soiled and I don't see a mistake. If it is so,
please point me to it.
If you already have experience of how to implement the aforementioned
above, I beg you to share that with me.
Sorry for bothering again and thank you in advance.
--
Regards,
Aleksey Zolotuhin
More information about the Users
mailing list