[strongSwan] Configuration help request
ramyalexis at gmail.com
Thu Apr 7 22:09:59 CEST 2022
Ok. Figured this out.
I am not understanding VTI interface correctly. It should be address of
tunnel endpoints not address inside the tunnel.
чт, 7 апр. 2022 г. в 22:37, Alexey Smirnov <ramyalexis at gmail.com>:
> Got another question Tobias if you do not mind.
> Got the same error as was in the thread: IPSec route based VPN - VTI
> interface TX Errors NoRoute
> So basically the tunnel is up. I use mar_in=mark_out=10 in VTI interface
> (linux kernel is 3.10 so no modern interface)
> The traffic looks like this:
> From tunnel remote - they are coming:
> net-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-192/HMAC_SHA1_96
> installed 1608s ago, rekeying in 78953s, expires in 93432s
> in ca18b546 (0x0000000a), 672 bytes, 8 packets
> out 482a8752 (0x0000000a), 0 bytes, 0 packets
> Not sure where they go next.
> From local they are NoRoute - outgoing and no incoming
> ip -s tunnel show
> vti0: ip/ip remote 10.255.255.25 local 10.255.255.26 ttl inherit key 10
> RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
> 0 0 0 0 0 0
> TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
> 0 0 33 0 33 0
> Route is simple - just the route for VTI interfaces itself
> ip r
> 10.255.255.24/30 dev vti0 scope link
> If i ping - the counter just increase and i got Destination unreachable as
> in gude i tried to follow:
> I also consult examples again here
> and did not find any config statment i am missing in my configuration.
> What direction should i dig for?
> Thank you!
> чт, 7 апр. 2022 г. в 16:17, Tobias Brunner <tobias at strongswan.org>:
>> Hi Alexey,
>> > 07[CFG] looking for peer configs matching
>> > x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]
>> > 07[CFG] no matching peer config found
>> > 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> > 07[NET] sending packet: from x.x.x.x to y.y.y.y (80 bytes)
>> > And the question is: why no matching peer found as peers and key is in
>> > place?
>> The peer proposes the IP addresses as identities (it's what you see in
>>  in the "looking for peer configs matching ..." log message), which
>> clearly don't match "key" (whatever that is exactly). So just remove
>> those `id = key` lines (the default identities are the IP addresses) and
>> associate the secret with y.y.y.y (i.e. set `id-1 = y.y.y.y` there).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users