[strongSwan] VTI point to multipoint

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Sep 23 18:50:07 CEST 2019


Hello,

You're doing it wrong(tm).
See here:
>>                 remote_ts = 0.0.0.0/0

Don't do that. Leave it as the default (dynamic).
That probably solves it.

Kind regards

Noel

Am 20.09.19 um 18:02 schrieb Volodymyr Litovka:
> Dear friends,
> 
> spent few days on exploring the question, got no results and need your help.
> 
> I have the following task: many different clients (OSX, Windows, Cisco routers) which are mobile (i.e. no fixed IP address) need to access protected area. Basically, I’m trying to use the following configuration of swanctl:
> 
> connections {
>     ikev2-eap-mschapv2 {
>         version = 2
>         local_addrs = my.vpn.ip
>         remote_addrs = %any
>         proposals = [ all compatible with clients ]
>         encap = yes
>         fragmentation = yes
>         mobike = yes
>         dpd_delay = 300s
>         send_certreq = yes
>         send_cert = always
>         rekey_time = 3h
>         pools = radius
>         local-1 {
>             certs = fullchain.pem
>             id = @my.vpn.fqdn
>          }
>         remote-1 {
>             id = %any
>             eap_id = %any
>             auth = eap-radius
>          }
>         children {
>             carlo {
>                 ah_proposals =
>                 esp_proposals = [ compatible ]
>                 # Protected area's network
> 		local_ts = 172.16.17.0/24
>                 remote_ts = 0.0.0.0/0
>                 # mark_in = 0x53
>                 # mark_out = 0x53
>                 rekey_time = 2h
>                 mode = tunnel
>                 dpd_action = clear
>                 ipcomp = no
>              }
>          }
>      }
>  }
> 
> This config works for end-clients like OSX (without any limitations) and Windows (this OS don’t understand TS and routes needs to be added manually), but all examples for Cisco, at the end of the all, require Tunnel interface.
> 
> So, the first question: is it ever possible to have unified configuration for so different end-points or I need to use different ‘connections’ for different kinds of end-points?
> 
> Well, VTIs come to mind. According to https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Sharing-VTI-Devices it is possible to share one vti for multiple connections and I’m doing the following:
> 
> 1) configure linux host with these commands:
> 1.1) ip tunnel add vti0 mode vti local 10.11.13.1 remote 0.0.0.0 okey 0x53 ikey 0x53
> 1.2) ip link set vti0 up
> 1.3) ip addr add 10.11.13.1/24 vti0
> 
> where 10.11.13.0/24 - pool of VIPs, managed by FreeRadius
> 
> 1.4) disable rp_filter on all interfaces:
> # cat /proc/sys/net/ipv4/conf/all/rp_filter
> 0
> # cat /proc/sys/net/ipv4/conf/default/rp_filter
> 0
> # cat /proc/sys/net/ipv4/conf/vti0/rp_filter
> 0
> 
> 2) reconfigure strongswan:
> 2.1) disable install_routes in strongswan.d/charon.conf
> 2.2) populate mark_in/mark_out in children section of swanctl.conf’s connection with corresponding value (0x53)
> 2.3) add 10.11.13.1 to local_ts
> 
> After these procedures, I have the following ip addressing/routing on VPN host (Ubuntu 18.04):
> 
> # ip a
> [ … ]
> 4: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
>     link/ipip 0.0.0.0 brd 0.0.0.0
> 5: vti0 at NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
>     link/ipip 10.11.13.1 brd 0.0.0.0
>     inet 10.11.13.1/24 scope global vti0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::5efe:a0b:d01/64 scope link
>        valid_lft forever preferred_lft forever
> 
> # ip route
> [ … ]
> default via x.x.x.1 dev wan0 proto static
> 10.11.13.0/24 dev vti0 proto kernel scope link src 10.11.13.1
> 
> but, when connecting from my OSX workstation, having the following ip addressing/routing:
> 
> # ifconfig
> [ … ]
> ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
> 	options=6403<RXCSUM,TXCSUM,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
> 	inet 10.11.13.185 --> 10.11.13.185 netmask 0xffffff00
> # netstat -rn
> [ … ]
> Destination        Gateway            Flags        Netif Expire
> default            192.168.1.1        UGSc           en0
> default            link#13            UCSI        ipsec0
> 10.11.13.1         10.11.13.185       UGHS        ipsec0
> 10.11.13.185       10.11.13.185       UH          ipsec0
> 172.16.17/24       10.11.13.185       UGSc        ipsec0
> 
> have no pings from end-point to 10.11.13.1, while see incoming packets over SA:
> 
> # swanctl --list-sas
> ikev2-eap-mschapv2: #3, ESTABLISHED, IKEv2, 2cfab88ccbd3333c_i 0abe5fd97176a44c_r*
>   local  ‘my.vpn.fqdn' @ my.vpn.ip[4500]
>   remote 'vugluskr' @ 31.40.110.89[4500] EAP: 'doka' [10.11.13.185]
>   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>   established 44s ago, rekeying in 9979s
>   carlo: #3, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA2_256_128
>     installed 44s ago, rekeying in 6539s, expires in 7876s
>>>>    in  cc88e120 (0x00000053),   2940 bytes,    35 packets
>     out 01310fe2 (0x00000053),      0 bytes,     0 packets
>     local  10.11.13.1/32 172.16.17.0/24
>     remote 0.0.0.0/0
> 
> probably, because there is no routing from VPN host to connected endpoint:
> 
> # ping 10.11.13.185 -I 10.11.13.1
> PING 10.11.13.185 (10.11.13.185) from 10.11.13.1 : 56(84) bytes of data.
> From 10.11.13.1 icmp_seq=1 Destination Host Unreachable
> From 10.11.13.1 icmp_seq=2 Destination Host Unreachable
> 
> So, the second question: what I’m doing wrong? Whether I choose the right way to find a solution to the task or I'm driving in a wrong direction?
> 
> Thank you.
> 
> P.S. I’m unable to connect Cisco router anyway ;-) and after I tried many configurations, I will ask question on this later.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190923/ef035491/attachment.sig>


More information about the Users mailing list