[strongSwan] Configuration help request

Alexey Smirnov ramyalexis at gmail.com
Thu Apr 7 22:09:59 CEST 2022


Ok. Figured this out.
I am not understanding VTI interface correctly. It should be address of
tunnel endpoints not address inside the tunnel.


чт, 7 апр. 2022 г. в 22:37, Alexey Smirnov <ramyalexis at gmail.com>:

> Got another question Tobias if you do not mind.
> Got the same error as was in the thread: IPSec route based VPN - VTI
> interface TX Errors NoRoute
> So basically the tunnel is up. I use mar_in=mark_out=10 in VTI interface
> (linux kernel is 3.10 so no modern interface)
> The traffic looks like this:
> From tunnel remote - they are coming:
>  net-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-192/HMAC_SHA1_96
>     installed 1608s ago, rekeying in 78953s, expires in 93432s
>     in  ca18b546 (0x0000000a),    672 bytes,     8 packets
>     out 482a8752 (0x0000000a),      0 bytes,     0 packets
> Not sure where they go next.
> From local they are NoRoute - outgoing and no incoming
> ip -s tunnel show
> vti0: ip/ip remote 10.255.255.25 local 10.255.255.26 ttl inherit key 10
> RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
>     0          0            0      0        0        0
> TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
>     0          0            33     0        33       0
> Route is simple - just the route for VTI interfaces itself
> ip r
> 10.255.255.24/30 dev vti0 scope link
> If i ping - the counter just increase and i got Destination unreachable as
> in gude i tried to follow:
> https://docs.strongswan.org/strongswan-docs/5.9/features/routeBasedVpn.html
> I also consult examples again here
> https://www.strongswan.org/testing/testresults/route-based/net2net-vti/
> and did not find any config statment i am missing in my configuration.
>
> What direction should i dig for?
> Thank you!
>
>
> чт, 7 апр. 2022 г. в 16:17, Tobias Brunner <tobias at strongswan.org>:
>
>> Hi Alexey,
>>
>> > 07[CFG] looking for peer configs matching
>> > x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]
>> > 07[CFG] no matching peer config found
>> > 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> > 07[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (80 bytes)
>> >
>> > And the question is: why no matching peer found as peers and key is in
>> > place?
>>
>> The peer proposes the IP addresses as identities (it's what you see in
>> [] in the "looking for peer configs matching ..." log message), which
>> clearly don't match "key" (whatever that is exactly).  So just remove
>> those `id = key` lines (the default identities are the IP addresses) and
>> associate the secret with y.y.y.y (i.e. set `id-1 = y.y.y.y` there).
>>
>> Regards,
>> Tobias
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220407/b9e16de3/attachment.html>


More information about the Users mailing list