[Swan] vti support
Paul Wouters
paul at nohats.ca
Wed Jun 1 02:36:52 UTC 2016
On Wed, 1 Jun 2016, Charles Wyble wrote:
> Anyway I'm having a terrible time with VTI. I can't get packets to transit the tunnel. I'm hoping it's something incredibly stupid, and I'll get called out in 2 seconds...
Maybe :)
> So here's the Cisco side:
I cannot help you there, but:
> interface Tunnel0
> ip address 192.168.195.2 255.255.255.252
> tunnel source 10.40.170.22
> tunnel destination 158.69.183.161
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile VTI
> # Connection to rack at JUAF-SAT01
> conn satx
> left=158.69.183.161 #ovh outside ip
> leftsubnet=10.253.0.0/16 #ovh network
> #leftsubnet=0.0.0.0/0
> leftid=158.69.183.161 #ikeid of ovh side
> right=38.103.217.178 #IOS outside address
> rightsubnet=10.40.170.0/24 #network behind IOS
> #rightsubnet=0.0.0.0/0
> rightid=10.40.170.22 #IKEID sent by IOS
> ike=aes128-sha1;modp4096
> esp=aes128-sha1
> type=tunnel
> authby=secret
> auth=esp
> keyexchange=ike
> keyingtries=2
> disablearrivalcheck=no
> ikev2=no
> auto=start
> mark=5/0xffffffff
> vti-interface=vti01
You need to vti-routing=yes but I do believe that is the default.
But when you set the leftsubnet and rightsubnet, you limit the tunnel
to those IP ranges. Your ping:
> satx-rtr01#ping 192.168.195.1
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.195.1, timeout is 2 seconds:
is coming from 192.168.195.1, which doesn't fall within 10.253.0.0/16
If you type "ip route list" you will see that only 10.40.170.0/24 got
routed into the vt01 device, and only those packets will end up getting
encrypted.
> 24: vti01 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1332 qdisc noqueue state UNKNOWN group default
> link/ipip 158.69.183.161 peer 38.103.217.178
That only shows you the gateway IP's to switch the VTI tunnel is bound.
You need to use "ip xfrm pol" (or actually ip -s xfrm pol) to see
which packets will match the policy to get encrypted for the IPsec SA.
Paul
More information about the Swan
mailing list