[Swan] vti support

Charles Wyble charles at turnsys.com
Wed Jun 1 02:04:39 UTC 2016 

Yes I sure did. I also had to symlink /bin/ip to my updated iptools, otherwise I got the dreaded "ipip doesn't support keys" or whatever message. 


Anyway I'm having a terrible time with VTI. I can't get packets to transit the tunnel. I'm hoping it's something incredibly stupid, and I'll get called out in 2 seconds...


So here's the Cisco side:

satx-rtr01#sh int tun 0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 192.168.195.2/30
  MTU 17862 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 10.40.170.22, destination 158.69.183.161
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1422 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "VTI")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     131 packets output, 11756 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

satx-rtr01#ping 192.168.195.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.195.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
satx-rtr01#

Tunnel0 config:

interface Tunnel0
 ip address 192.168.195.2 255.255.255.252
 tunnel source 10.40.170.22
 tunnel destination 158.69.183.161
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
end


Here's the libreswan side:

# Connection to rack at JUAF-SAT01
conn    satx
        left=158.69.183.161        #ovh outside ip
        leftsubnet=10.253.0.0/16  #ovh network
        #leftsubnet=0.0.0.0/0
        leftid=158.69.183.161    #ikeid of ovh side
        right=38.103.217.178                 #IOS outside address
        rightsubnet=10.40.170.0/24        #network behind IOS
        #rightsubnet=0.0.0.0/0
        rightid=10.40.170.22             #IKEID sent by IOS
        ike=aes128-sha1;modp4096
        esp=aes128-sha1
        type=tunnel
        authby=secret
        auth=esp
        keyexchange=ike
        keyingtries=2
        disablearrivalcheck=no
        ikev2=no
        auto=start
        mark=5/0xffffffff
        vti-interface=vti01



The tunnel is being brought up by libreswan now (after running /usr/local/sbin/ipsec pluto --stderrlog --config /etc/ipsec.d/satx.conf --nofork and seeing the ipip key message)

Before starting ipsec, I have:

15: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default
    link/ipip 0.0.0.0 brd 0.0.0.0


After:
24: vti01 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1332 qdisc noqueue state UNKNOWN group default
    link/ipip 158.69.183.161 peer 38.103.217.178

(I'm capturing the output of the ipsec pluto to a typescript) 

Looking through it I see:

root at tsys-shared-router:~# grep vti debug-ipsec-21387
Jun  1 01:58:08: "satx": prepare-client output: net.ipv4.conf.vti01.disable_policy = 1
Jun  1 01:58:08: "satx": prepare-client output: net.ipv4.conf.vti01.rp_filter = 0
Jun  1 01:58:08: "satx": prepare-client output: net.ipv4.conf.vti01.forwarding = 1
root at tsys-shared-router:~#


Please let me know if I can provide any more information. 

At this point I believe it may be related to shorewall. I'm double and triple checking my configuration. At one point I had output from tcpdump of vti01 when I was attempting ping (getting ICMP unreachable from the Cisco side, yet he has no ACLs). I'm at my whits end here. 



-----Original Message-----
From: Swan [mailto:swan-bounces at lists.libreswan.org] On Behalf Of Ruben Laban
Sent: Tuesday, May 31, 2016 12:50 AM
To: swan at lists.libreswan.org
Subject: Re: [Swan] vti support

Hi,

On 30-5-2016 22:53, Charles Wyble wrote:
> Ah ok. Thanks.
>
> That did the trick. Greatly appreciate all of the help. Traffic is coming across on vti01 via tcpdump now.
>
> I've got some routing/firewall issues to work out, but that's my problem.
>
> :)

Just curious: did you have to use a newer version of the iproute(2) package? My recent tests with both 14.04 and 16.04 led me to believe that the `ip` command shipped with those, lack proper vti support.

Regards,
Ruben

_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list