[Swan] vti support

Charles Wyble charles at turnsys.com
Wed Jun 1 02:04:39 UTC 2016

Yes I sure did. I also had to symlink /bin/ip to my updated iptools, otherwise I got the dreaded "ipip doesn't support keys" or whatever message. 

Anyway I'm having a terrible time with VTI. I can't get packets to transit the tunnel. I'm hoping it's something incredibly stupid, and I'll get called out in 2 seconds...

So here's the Cisco side:

satx-rtr01#sh int tun 0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is
  MTU 17862 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source, destination
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1422 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "VTI")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     131 packets output, 11756 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

Tunnel0 config:

interface Tunnel0
 ip address
 tunnel source
 tunnel destination
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI

Here's the libreswan side:

# Connection to rack at JUAF-SAT01
conn    satx
        left=        #ovh outside ip
        leftsubnet=  #ovh network
        leftid=    #ikeid of ovh side
        right=                 #IOS outside address
        rightsubnet=        #network behind IOS
        rightid=             #IKEID sent by IOS

The tunnel is being brought up by libreswan now (after running /usr/local/sbin/ipsec pluto --stderrlog --config /etc/ipsec.d/satx.conf --nofork and seeing the ipip key message)

Before starting ipsec, I have:

15: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default
    link/ipip brd

24: vti01 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1332 qdisc noqueue state UNKNOWN group default
    link/ipip peer

(I'm capturing the output of the ipsec pluto to a typescript) 

Looking through it I see:

root at tsys-shared-router:~# grep vti debug-ipsec-21387
Jun  1 01:58:08: "satx": prepare-client output: net.ipv4.conf.vti01.disable_policy = 1
Jun  1 01:58:08: "satx": prepare-client output: net.ipv4.conf.vti01.rp_filter = 0
Jun  1 01:58:08: "satx": prepare-client output: net.ipv4.conf.vti01.forwarding = 1
root at tsys-shared-router:~#

Please let me know if I can provide any more information. 

At this point I believe it may be related to shorewall. I'm double and triple checking my configuration. At one point I had output from tcpdump of vti01 when I was attempting ping (getting ICMP unreachable from the Cisco side, yet he has no ACLs). I'm at my whits end here. 

-----Original Message-----
From: Swan [mailto:swan-bounces at lists.libreswan.org] On Behalf Of Ruben Laban
Sent: Tuesday, May 31, 2016 12:50 AM
To: swan at lists.libreswan.org
Subject: Re: [Swan] vti support


On 30-5-2016 22:53, Charles Wyble wrote:
> Ah ok. Thanks.
> That did the trick. Greatly appreciate all of the help. Traffic is coming across on vti01 via tcpdump now.
> I've got some routing/firewall issues to work out, but that's my problem.
> :)

Just curious: did you have to use a newer version of the iproute(2) package? My recent tests with both 14.04 and 16.04 led me to believe that the `ip` command shipped with those, lack proper vti support.


Swan mailing list
Swan at lists.libreswan.org

More information about the Swan mailing list