[strongSwan] xfrm & dynamic routing

Volodymyr Litovka doka.ua at gmx.com
Fri Sep 18 01:19:32 CEST 2020 

Hi,

not too elegant, but working solution is to create different configs per
connection (with dedicated if_id_in/out) and dynamically create xfrm
interface (using updown and PLUTO_IF_ID*). In this way it's possible to
set remote_ts = 0.0.0.0/0 and be happy with routing protocols. But there
is another issue (please, see my next message to the list) and if
anybody can suggest more elegant way to the topic - I will appreciate.

Thank you.

On 17.09.2020 18:50, Volodymyr Litovka wrote:
>
> Hi colleagues,
>
> I'm using XFRM on SSwan side in shared mode for multiple clients
> (using same if_id):
>
> 3: xfrm0 at lo: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
>      link/none
>      inet 192.168.167.1/24 brd 192.168.167.255 scope global xfrm0
>         valid_lft forever preferred_lft forever
>
> like this:
>
>              xfrm (if_id=9, x.x.x.1/24)
>    ------------------------------------------
>          |              |                |
>       client1        client2     ...   clientN
>     (x.x.x.2/24)   (x.x.x.3/24)  ... (x.x.x.N/24)
>
> having, e.g. the following SA:
>
> ikev2-eap: #41, ESTABLISHED, IKEv2, 36739cd0b0eab71f_i 57d9f123408cdea5_r*
>    local  'local_id' @ local_ip[4500]
>    remote 'remote_id' @ remote_ip[4500] EAP: 'remote_eap_id' [192.168.167.2]
>    AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
>    established 1547s ago, rekeying in 8357s
>    eap-child: #37, reqid 31, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
>      [ ... ]
>      *local 0.0.0.0/0*
>      *remote 192.168.167.2/32*
>
> according to the configuration:
>
> connections {
>    ikev2-eap {
>      pools = radius
>      remote {
>        auth = eap-radius
>        id = %any
>        eap_id = %any
>      }
>      children {
>        eap-child {
>          local_ts = 0.0.0.0/0
>          remote_ts = dynamic
>          mode = tunnel
>        }
>      }
>    }
> }
>
> wiki's RouteBasedVPN says the following: "After creating the device it
> has to be enabled and then routes may be installed (routing protocols
> may also be used)." and I tried to implement dynamic routing to route
> between remote LANs, receiving additional subnets over BGP between
> peers (e.g. x.x.x.1 <-> x.x.x.2):
>
> server# ip route
> [ ... ]
> *5.6.7.0/24*  nhid 20 via 192.168.167.2 dev xfrm0*proto bgp*  metric 20
>
> but, actually, I can not access remote BGP-learned LAN:
>
> server# ping 5.6.7.1 -I 192.168.167.1
> PING 5.6.7.1 (5.6.7.1) from 192.168.167.1 : 56(84) bytes of data.
>  From 192.168.167.1 icmp_seq=1 Destination Host Unreachable
>  From 192.168.167.1 icmp_seq=2 Destination Host Unreachable
> ^C
>
> On the other hand, the wiki says (for VTI mode, though, while I'm
> using XFRM) such issue happens due to the fact that these networks
> aren't mentioned in traffic selector thus there is no matching policy
> and traffic is rejected: "only traffic that matches these traffic
> selectors will then actually be forwarded, other packets routed to the
> VTI device will be rejected with an ICMP error message (destination
> unreachable/destination host unreachable)."
>
> So, the question - what I'm doing wrong? Are there ways to use dynamic
> routing with shared XFRM device?
>
> Note: remote peers can be behind the same NAT, so having same external
> IP address.
>
> Thank you.
>
> --
> Volodymyr Litovka
>    "Vision without Execution is Hallucination." -- Thomas Edison

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200918/ec9191e1/attachment.html>

More information about the Users mailing list