[strongSwan] VTI point to multipoint

Volodymyr Litovka doka.ua at gmx.com
Fri Sep 20 18:02:04 CEST 2019 

Dear friends,

spent few days on exploring the question, got no results and need your help.

I have the following task: many different clients (OSX, Windows, Cisco routers) which are mobile (i.e. no fixed IP address) need to access protected area. Basically, I’m trying to use the following configuration of swanctl:

connections {
    ikev2-eap-mschapv2 {
        version = 2
        local_addrs = my.vpn.ip
        remote_addrs = %any
        proposals = [ all compatible with clients ]
        encap = yes
        fragmentation = yes
        mobike = yes
        dpd_delay = 300s
        send_certreq = yes
        send_cert = always
        rekey_time = 3h
        pools = radius
        local-1 {
            certs = fullchain.pem
            id = @my.vpn.fqdn
         }
        remote-1 {
            id = %any
            eap_id = %any
            auth = eap-radius
         }
        children {
            carlo {
                ah_proposals =
                esp_proposals = [ compatible ]
                # Protected area's network
		local_ts = 172.16.17.0/24
                remote_ts = 0.0.0.0/0
                # mark_in = 0x53
                # mark_out = 0x53
                rekey_time = 2h
                mode = tunnel
                dpd_action = clear
                ipcomp = no
             }
         }
     }
 }

This config works for end-clients like OSX (without any limitations) and Windows (this OS don’t understand TS and routes needs to be added manually), but all examples for Cisco, at the end of the all, require Tunnel interface.

So, the first question: is it ever possible to have unified configuration for so different end-points or I need to use different ‘connections’ for different kinds of end-points?

Well, VTIs come to mind. According to https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Sharing-VTI-Devices it is possible to share one vti for multiple connections and I’m doing the following:

1) configure linux host with these commands:
1.1) ip tunnel add vti0 mode vti local 10.11.13.1 remote 0.0.0.0 okey 0x53 ikey 0x53
1.2) ip link set vti0 up
1.3) ip addr add 10.11.13.1/24 vti0

where 10.11.13.0/24 - pool of VIPs, managed by FreeRadius

1.4) disable rp_filter on all interfaces:
# cat /proc/sys/net/ipv4/conf/all/rp_filter
0
# cat /proc/sys/net/ipv4/conf/default/rp_filter
0
# cat /proc/sys/net/ipv4/conf/vti0/rp_filter
0

2) reconfigure strongswan:
2.1) disable install_routes in strongswan.d/charon.conf
2.2) populate mark_in/mark_out in children section of swanctl.conf’s connection with corresponding value (0x53)
2.3) add 10.11.13.1 to local_ts

After these procedures, I have the following ip addressing/routing on VPN host (Ubuntu 18.04):

# ip a
[ … ]
4: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
5: vti0 at NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip 10.11.13.1 brd 0.0.0.0
    inet 10.11.13.1/24 scope global vti0
       valid_lft forever preferred_lft forever
    inet6 fe80::5efe:a0b:d01/64 scope link
       valid_lft forever preferred_lft forever

# ip route
[ … ]
default via x.x.x.1 dev wan0 proto static
10.11.13.0/24 dev vti0 proto kernel scope link src 10.11.13.1

but, when connecting from my OSX workstation, having the following ip addressing/routing:

# ifconfig
[ … ]
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
	options=6403<RXCSUM,TXCSUM,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
	inet 10.11.13.185 --> 10.11.13.185 netmask 0xffffff00
# netstat -rn
[ … ]
Destination        Gateway            Flags        Netif Expire
default            192.168.1.1        UGSc           en0
default            link#13            UCSI        ipsec0
10.11.13.1         10.11.13.185       UGHS        ipsec0
10.11.13.185       10.11.13.185       UH          ipsec0
172.16.17/24       10.11.13.185       UGSc        ipsec0

have no pings from end-point to 10.11.13.1, while see incoming packets over SA:

# swanctl --list-sas
ikev2-eap-mschapv2: #3, ESTABLISHED, IKEv2, 2cfab88ccbd3333c_i 0abe5fd97176a44c_r*
  local  ‘my.vpn.fqdn' @ my.vpn.ip[4500]
  remote 'vugluskr' @ 31.40.110.89[4500] EAP: 'doka' [10.11.13.185]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 44s ago, rekeying in 9979s
  carlo: #3, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 44s ago, rekeying in 6539s, expires in 7876s
>>>    in  cc88e120 (0x00000053),   2940 bytes,    35 packets
    out 01310fe2 (0x00000053),      0 bytes,     0 packets
    local  10.11.13.1/32 172.16.17.0/24
    remote 0.0.0.0/0

probably, because there is no routing from VPN host to connected endpoint:

# ping 10.11.13.185 -I 10.11.13.1
PING 10.11.13.185 (10.11.13.185) from 10.11.13.1 : 56(84) bytes of data.
From 10.11.13.1 icmp_seq=1 Destination Host Unreachable
From 10.11.13.1 icmp_seq=2 Destination Host Unreachable

So, the second question: what I’m doing wrong? Whether I choose the right way to find a solution to the task or I'm driving in a wrong direction?

Thank you.

P.S. I’m unable to connect Cisco router anyway ;-) and after I tried many configurations, I will ask question on this later.

-- 
Volodymyr Litovka
  "Vision without Execution is Hallucination." -- Thomas Edison

More information about the Users mailing list