[strongSwan] VTI point to multipoint

Volodymyr Litovka doka.ua at gmx.com
Fri Sep 20 18:02:04 CEST 2019

Dear friends,

spent few days on exploring the question, got no results and need your help.

I have the following task: many different clients (OSX, Windows, Cisco routers) which are mobile (i.e. no fixed IP address) need to access protected area. Basically, I’m trying to use the following configuration of swanctl:

connections {
    ikev2-eap-mschapv2 {
        version = 2
        local_addrs = my.vpn.ip
        remote_addrs = %any
        proposals = [ all compatible with clients ]
        encap = yes
        fragmentation = yes
        mobike = yes
        dpd_delay = 300s
        send_certreq = yes
        send_cert = always
        rekey_time = 3h
        pools = radius
        local-1 {
            certs = fullchain.pem
            id = @my.vpn.fqdn
        remote-1 {
            id = %any
            eap_id = %any
            auth = eap-radius
        children {
            carlo {
                ah_proposals =
                esp_proposals = [ compatible ]
                # Protected area's network
		local_ts =
                remote_ts =
                # mark_in = 0x53
                # mark_out = 0x53
                rekey_time = 2h
                mode = tunnel
                dpd_action = clear
                ipcomp = no

This config works for end-clients like OSX (without any limitations) and Windows (this OS don’t understand TS and routes needs to be added manually), but all examples for Cisco, at the end of the all, require Tunnel interface.

So, the first question: is it ever possible to have unified configuration for so different end-points or I need to use different ‘connections’ for different kinds of end-points?

Well, VTIs come to mind. According to https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Sharing-VTI-Devices it is possible to share one vti for multiple connections and I’m doing the following:

1) configure linux host with these commands:
1.1) ip tunnel add vti0 mode vti local remote okey 0x53 ikey 0x53
1.2) ip link set vti0 up
1.3) ip addr add vti0

where - pool of VIPs, managed by FreeRadius

1.4) disable rp_filter on all interfaces:
# cat /proc/sys/net/ipv4/conf/all/rp_filter
# cat /proc/sys/net/ipv4/conf/default/rp_filter
# cat /proc/sys/net/ipv4/conf/vti0/rp_filter

2) reconfigure strongswan:
2.1) disable install_routes in strongswan.d/charon.conf
2.2) populate mark_in/mark_out in children section of swanctl.conf’s connection with corresponding value (0x53)
2.3) add to local_ts

After these procedures, I have the following ip addressing/routing on VPN host (Ubuntu 18.04):

# ip a
[ … ]
4: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip brd
5: vti0 at NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip brd
    inet scope global vti0
       valid_lft forever preferred_lft forever
    inet6 fe80::5efe:a0b:d01/64 scope link
       valid_lft forever preferred_lft forever

# ip route
[ … ]
default via x.x.x.1 dev wan0 proto static dev vti0 proto kernel scope link src

but, when connecting from my OSX workstation, having the following ip addressing/routing:

# ifconfig
[ … ]
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
	inet --> netmask 0xffffff00
# netstat -rn
[ … ]
Destination        Gateway            Flags        Netif Expire
default          UGSc           en0
default            link#13            UCSI        ipsec0       UGHS        ipsec0       UH          ipsec0
172.16.17/24       UGSc        ipsec0

have no pings from end-point to, while see incoming packets over SA:

# swanctl --list-sas
ikev2-eap-mschapv2: #3, ESTABLISHED, IKEv2, 2cfab88ccbd3333c_i 0abe5fd97176a44c_r*
  local  ‘my.vpn.fqdn' @ my.vpn.ip[4500]
  remote 'vugluskr' @[4500] EAP: 'doka' []
  established 44s ago, rekeying in 9979s
  carlo: #3, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 44s ago, rekeying in 6539s, expires in 7876s
>>>    in  cc88e120 (0x00000053),   2940 bytes,    35 packets
    out 01310fe2 (0x00000053),      0 bytes,     0 packets

probably, because there is no routing from VPN host to connected endpoint:

# ping -I
PING ( from : 56(84) bytes of data.
From icmp_seq=1 Destination Host Unreachable
From icmp_seq=2 Destination Host Unreachable

So, the second question: what I’m doing wrong? Whether I choose the right way to find a solution to the task or I'm driving in a wrong direction?

Thank you.

P.S. I’m unable to connect Cisco router anyway ;-) and after I tried many configurations, I will ask question on this later.

Volodymyr Litovka
  "Vision without Execution is Hallucination." -- Thomas Edison

More information about the Users mailing list