[strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute

Mon Sep 13 12:41:30 CEST 2021

Hi Noel/Tobias/Everyone,

First of all, Thanks for your help !!!

Unfortunately, after more than a month submerged into my lab and countless forums and google articles researching about iptables, linux routing tables, strongswan ... I will give up and I decided to build a pfSense box and use the OpenWRT routers as layer2 switches.

I have analyzed the iptables captures and they do not reveal much.

The capture on the VTI interface shows the PING packet request and reply.

And on the iptables chains the PING reply is seen on

raw OUTPUT
mangle OUTPUT
filter OUTPUT
mangle POSTROUTING

and the PING reply with no response is seen on

raw PREROUTING
mangle PREROUTING
mangle INPUT
filter INPUT

The image below has a diagram flow for the iptables chains.
https://blog.infoitech.co.uk/content/images/2021/08/image-25.png

 I am starting to believe that my problem could be a bug in the ipsec/strongswan implementation.

If someone else reading this thread find a solution, please update this thread cause it would be helpful to more people out there.

Best Regards,

Tiago Stoco.
________________________________
From: Users <users-bounces at lists.strongswan.org> on behalf of Tiago Stoco <tmsblink at msn.com>
Sent: Saturday, September 11, 2021 10:13 AM
To: Noel Kuntze <noel.kuntze at thermi.consulting>; Tobias Brunner <tobias at strongswan.org>; users at lists.strongswan.org <users at lists.strongswan.org>
Subject: Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute

Hi Noel,

Quick update to the thread.

I know that pfSense is not related with this mailing list, but as a proof of concept for the issues described here the pfSense LAB site-to-site was set up and it worked flawlessly 👉 https://blog.infoitech.co.uk/pfsense-ipsec-vpn-routed-vti-site-to-site/

I have switched one of the pfSense boxes used in the example above to stablish the tunnel with my Linux box and still the same issues as before.

I am writing a script to capture packets throughout all my iptables chains and I will then analyze the captures to see if I can spot something.

Best Regards,

Tiago.

________________________________
From: Users <users-bounces at lists.strongswan.org> on behalf of Tiago Stoco <tmsblink at msn.com>
Sent: Friday, September 10, 2021 7:31 AM
To: Noel Kuntze <noel.kuntze at thermi.consulting>; Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>; Tobias Brunner <tobias at strongswan.org>; users at lists.strongswan.org <users at lists.strongswan.org>
Subject: Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute

Hi Noel,

I did not give up on this yet. The last couple of days were quite busy at work and home.

However, I have managed to draw a diagram on how I believe the site-to-site VPN would work 👇

https://blog.infoitech.co.uk/content/images/2021/09/ipsec_diagram2.png

It is quite obvious how the traffic should flow through the VPN tunnel to allow the subnets to talk to each other.

I have managed to spin up a new VM running pfSence to test a pfSense to Pfsense setup and then I will spin another VM to replicate the example you have shared.

Finally, I will be able to verify if my idea will work and be able to identify where is the anomaly in my current setup.

Wish me luck,

Best Regards.

Tiago

________________________________
From: Noel Kuntze
Sent: Friday, September 3, 2021 6:22 PM
To: Tiago Stoco; Noel Kuntze; Tobias Brunner; users at lists.strongswan.org
Subject: Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute

Hello Tiago,

It's more meant as a practical example on how to configure this and to look for anomalies in your setup.

Kind regards
Noel

Am 03.09.21 um 22:54 schrieb Tiago Stoco:
> Hi Noel,
>
> I will replicate the example below in my lab in the hopes to better understand the concepts behind an IPSec VPN tunnel.
>
> Tiago Stoco.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210913/a405bc21/attachment.html>