[Swan-dev] ip_vti0 preventing proper routing in updown ?

Tuomo Soini tis at foobar.fi
Fri Jul 6 18:28:23 UTC 2018 

On Fri, 6 Jul 2018 12:49:44 -0400 (EDT)
Paul Wouters <paul at nohats.ca> wrote:

> This is the 2nd report I get of updown not working properly, and
> removing the vti kernel module, that removes the ip_vti0 interface,
> resolves the issue ?

That sounds like a bug in vti code.

> Should we revert configuring obtained IP addresses on the loopback?

I don't think that has anything to do with the issue.

> Or can we do something else prventing the bad interaction with
> ip_vti0 ?

We can stop loading vti module by default.

> Note that no vti-* options or marking was used for this configuration.

Yes, but is it possible those have been used before, after last reboot?

> Paul
> 
> -------- Forwarded Message --------
> Subject: vpn.nohats.ca setup - fixed
> From: Francesco Giudici <fgiudici at redhat.com>
> To: Paul Wouters <pwouters at redhat.com>
> Date: Fri, 6 Jul 2018 11:24:50 +0200
> 
> I found the root cause of the issues I was experiencing with the
> setup. I had two issues:
> 1) the ""vpn.nohats.ca": We cannot identify ourselves with either end
> of this connection.  193.110.157.148 or 193.110.157.148 are not
> usable" error 2) bypassing 1 with left=%MYIP, I was not able to
> route/forward correctly packets through the VPN, resulting in no
> traffic
> 
> TL;DR: when starting ipsec I noticed the ip_vti kernel module is
> loaded. When loaded, it creates a default interface ip_vti0. Removing
> the module before adding the vpn.nohats.ca connection fixed both
> issues 1 and 2. Everything worked as expected.
> 
> -- long version --
> Diagnosing issue 2) I found the network config looked weird: the
> address gained from CP was added to the lo interface. The new default
> routes so where added as "link scope". Mangling the network (I moved
> the CP address on the main interface and updated the routes) I was
> able to let packet flow through the VPN (I could see the ESP packets
> going in both directions) but still not end to end connectivity...
> I noticed that the clear text traffic arrived on a ip_vti0
> interface... so, removing the ip_vti module before starting the
> connection did the trick.
> 
> All of this on F28, both Desktop and client.
> 
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev



-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

More information about the Swan-dev mailing list