[strongSwan] strongswan route base VPN to Cisco dynamic VTI: only vips address enters in the tunnel

Sat Feb 15 17:22:08 CET 2020

Hello Noel,

Thanks for your quick answer.
FlexVPN uses either bare IPSec or gre tunnels.

The cool thing is the auto-configuration functionnalties : dynamic 
addressing and routing is managed by the server and passed to the client 
through IKEv2 messages. Clients may have  the same configuration (DHCP 
for the underlay and vips for overlay).

It look likes a road-warrior architecture, but with point to point 
interfaces on the server side, which are easier to manage (AAA and 
Radius integration, QoS, filtering, ...)

Until now i have only used bare ipsec encapsulation, but i will follow 
your advice and try to use gre interfaces on top of the vip.

Philippe

Le 14/02/2020 à 16:06, Noel Kuntze a écrit :
> Hello Philippe,
>
> I'm not using any Cisco gear or FlexVPN, but is it supposed to use bare IPsec or not a GRE tunnel wrapped in an IPsec tunnel?
> If the latter is the case, just build a gre tunnel with the local endpoint being the VIP, that should then work.
> Otherwise (if it's supposed to be a bare IPsec tunnel) I propose asking the remote peer for logs and instructions on how exactly it is supposed to work.
>
> Kind regards
>
> Noel
>
> Am 14.02.20 um 14:50 schrieb Philippe JOUNIN:
>> Hello,
>>
>> I am trying to connect a Linux/Strongswan box to a Cisco router using
>>      - dynamic VTI with IKEv2 on the Cisco (aka flexVPN)
>>      - routed based VPN on the Linux on a tunnel interface named ipsec0 which receives a dynamic virtual address
>>
>> The ipsec tunnel is correctly established and the vips address is correctly assigned by the Cisco, transferred by IKEv2 and assigned to the ipsec0 interface.
>> However only the traffic sourced by the ipsec0 address is routed through the tunnel. All other traffic is filtered out with a "NoRoute" error before entering in the tunnel.
>>
>> As explained in the wiki page https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN, i have :
>> - enabled ip forwarding
>> - disabled the policy rules with sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
>> - disabled the charon route processing.
>>
>> If i use NAT to translate all outgoing traffic to the VIP address, everything is OK, but direct routing does not enter the tunnel.
>>
>> I guess the trouble is that the local selector is the /32 vips address instead of 0.0.0.0/0.
>> I have tried to set local_ts to 0/0, but it is overriden by vips instruction.
>>
>> Can you help me to understand what i have done wrong ?
>> Thanks !
>>
>>
>> ----
>> configurations :
>> - Cisco configuration:             https://pastebin.com/z8rjJ1hq
>> - Strongswan configuration (charon.conf and swanctl.conf): https://pastebin.com/WwjYb1uP
>> - tunnel creation and establishment:    https://pastebin.com/GCgzzuXQ
>>
>> troubleshooting:
>> - logs and debug info : https://pastebin.com/j1nFUDa8
>>
>>
>>
>>