[Swan] VTI support

Xinwei Hong xhong at skytap.com
Wed Jul 6 22:27:16 UTC 2016 

On Wed, Jul 6, 2016 at 1:56 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Wed, 6 Jul 2016, Xinwei Hong wrote:
>
> I'm trying to play around VTI support. I have the following conf in
>> /etc/ipsec.conf
>>
>
>     # route-based VPN requires marking and an interface
>>     mark=5/0xffffffff
>>     vti-interface=vti01
>>     # do not setup routing because we don't want to send 0.0.0.0/0 over
>> the tunnel
>>     vti-routing=no
>>
>
> You can also use vti-shared=no so the device is also deleted
> automatically when the tunnel goes down.
>
> Do we need anything else in the ipsec.conf file such as:
>>
>> config setup
>>
>>     protostack=netkey
>>
>>     interfaces="vti01=eth1"
>>
>>     plutodebug=all
>>
>
> No. the interfaces= line is used for KLIPS only and should not be used
> for NETKEY/XFRM.
>
> Note that I want to have a route-based VPN via netkey/pluto. I have setup
>> /etc/ipsec.secrets to have PSK on both ends.
>>
>> If I run "ipsec start"
>>
>> I got:
>>
>> Redirecting to: start ipsec
>>
>> start: Job failed to start
>>
>> So, I should not start ipsec that way?
>>
>
> That should work.


when I do:

# ipsec start

Redirecting to: start ipsec

ipsec start/running, process 27837


I got:

# ipsec status

whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
what's wrong here?

>
>
> If I run:
>>
>> ipsec pluto --stderrlog --config /etc/ipsec.conf
>>
>> I got:
>>
>> both ends looks fine.
>>
>> "Ipsec status" gets the following:
>>
>
> 000 Total IPsec connections: loaded 1, active 0
>>
>
> It is loaded but not initiated. Try ipsec auto --up routed-vpn and see

if you get an error?


I got:

ipsec auto --up routed-vpn

Jul  6 22:06:15: "routed-vpn" #1: initiating Main Mode

002 "routed-vpn" #1: initiating Main Mode

104 "routed-vpn" #1: STATE_MAIN_I1: initiate

Jul  6 22:06:15: "routed-vpn" #1: transition from state STATE_MAIN_I1 to
state STATE_MAIN_I2

Jul  6 22:06:15: "routed-vpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2

002 "routed-vpn" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2

106 "routed-vpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2

Jul  6 22:06:15: "routed-vpn" #1: transition from state STATE_MAIN_I2 to
state STATE_MAIN_I3

002 "routed-vpn" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3

Jul  6 22:06:15: "routed-vpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3

108 "routed-vpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3

Jul  6 22:06:15: "routed-vpn" #1: Main mode peer ID is ID_IPV4_ADDR:
'10.2.128.241'

002 "routed-vpn" #1: Main mode peer ID is ID_IPV4_ADDR: '10.2.128.241'

Jul  6 22:06:15: "routed-vpn" #1: transition from state STATE_MAIN_I3 to
state STATE_MAIN_I4

002 "routed-vpn" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4

Jul  6 22:06:15: "routed-vpn" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP4096}

004 "routed-vpn" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP4096}

Jul  6 22:06:15: "routed-vpn" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#1 msgid:fff823dd proposal=AES(12)_128-SHA1(2)
pfsgroup=OAKLEY_GROUP_MODP4096}

002 "routed-vpn" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#1 msgid:fff823dd proposal=AES(12)_128-SHA1(2)
pfsgroup=OAKLEY_GROUP_MODP4096}

117 "routed-vpn" #2: STATE_QUICK_I1: initiate

Jul  6 22:06:15: "routed-vpn" #2: prepare-client output: creating vti
interface

002 "routed-vpn" #2: prepare-client output: creating vti interface

Jul  6 22:06:15: "routed-vpn" #2: prepare-client output: Keys are not
allowed with ipip and sit tunnels

002 "routed-vpn" #2: prepare-client output: Keys are not allowed with ipip
and sit tunnels

Jul  6 22:06:15: "routed-vpn" #2: prepare-client output: Cannot find device
"vti01"

002 "routed-vpn" #2: prepare-client output: Cannot find device "vti01"

Jul  6 22:06:15: "routed-vpn" #2: prepare-client output: sysctl: cannot
stat /proc/sys/net/ipv4/conf/vti01/disable_policy: No such file or directory

002 "routed-vpn" #2: prepare-client output: sysctl: cannot stat
/proc/sys/net/ipv4/conf/vti01/disable_policy: No such file or directory

Jul  6 22:06:15: "routed-vpn" #2: prepare-client output: sysctl: cannot
stat /proc/sys/net/ipv4/conf/vti01/rp_filter: No such file or directory

002 "routed-vpn" #2: prepare-client output: sysctl: cannot stat
/proc/sys/net/ipv4/conf/vti01/rp_filter: No such file or directory

Jul  6 22:06:15: "routed-vpn" #2: prepare-client output: sysctl: cannot
stat /proc/sys/net/ipv4/conf/vti01/forwarding: No such file or directory

002 "routed-vpn" #2: prepare-client output: sysctl: cannot stat
/proc/sys/net/ipv4/conf/vti01/forwarding: No such file or directory

Jul  6 22:06:15: "routed-vpn" #2: prepare-client command exited with status
255

003 "routed-vpn" #2: prepare-client command exited with status 255

Jul  6 22:06:15: "routed-vpn" #2: route-client output: addvti called

002 "routed-vpn" #2: route-client output: addvti called

Jul  6 22:06:15: "routed-vpn" #2: transition from state STATE_QUICK_I1 to
state STATE_QUICK_I2

002 "routed-vpn" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2

Jul  6 22:06:15: "routed-vpn" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0x72086792 <0xd687041d xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=passive}

004 "routed-vpn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x72086792 <0xd687041d xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=passive}


after I run same command on the other end, the following message was
printed on local screen.


Jul  6 22:10:20: "routed-vpn" #1: the peer proposed: 0.0.0.0/0:0/0 ->
0.0.0.0/0:0/0

Jul  6 22:10:20: "routed-vpn" #3: responding to Quick Mode proposal
{msgid:1a3e14cd}

Jul  6 22:10:20: "routed-vpn" #3:     us: 0.0.0.0/0===10.2.128.240
<10.2.128.240>

Jul  6 22:10:20: "routed-vpn" #3:   them: 10.2.128.241<10.2.128.241>===
0.0.0.0/0

Jul  6 22:10:20: "routed-vpn" #3: keeping refhim=4294901761 during rekey

Jul  6 22:10:20: "routed-vpn" #3: transition from state STATE_QUICK_R0 to
state STATE_QUICK_R1

Jul  6 22:10:20: "routed-vpn" #3: STATE_QUICK_R1: sent QR1, inbound IPsec
SA installed, expecting QI2 tunnel mode {ESP=>0x54d07c6c <0x6e518193
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}

Jul  6 22:10:20: "routed-vpn" #3: transition from state STATE_QUICK_R1 to
state STATE_QUICK_R2

Jul  6 22:10:20: "routed-vpn" #3: STATE_QUICK_R2: IPsec SA established
tunnel mode {ESP=>0x54d07c6c <0x6e518193 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=passive}


Jul  6 22:11:06: "routed-vpn" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#1 msgid:c957769a proposal=AES(12)_128-SHA1(2)
pfsgroup=OAKLEY_GROUP_MODP4096}

002 "routed-vpn" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#1 msgid:c957769a proposal=AES(12)_128-SHA1(2)
pfsgroup=OAKLEY_GROUP_MODP4096}

117 "routed-vpn" #4: STATE_QUICK_I1: initiate

Jul  6 22:11:07: "routed-vpn" #4: transition from state STATE_QUICK_I1 to
state STATE_QUICK_I2

002 "routed-vpn" #4: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2

Jul  6 22:11:07: "routed-vpn" #4: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0x960cd38b <0x1b993deb xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=passive}
004 "routed-vpn" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x960cd38b <0x1b993deb xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=passive}

after this, I still cannot see vti01 with "ip link" or "ip tun". So, I
could not add a route to test if connection work.

ipsec status got:

000 Connection list:

000

000 "routed-vpn": 0.0.0.0/0===10.2.128.240
<10.2.128.240>...10.2.128.241<10.2.128.241>===0.0.0.0/0; erouted; eroute
owner: #4

000 "routed-vpn":     oriented; my_ip=unset; their_ip=unset

000 "routed-vpn":   xauth us:none, xauth them:none,  my_username=[any];
their_username=[any]

000 "routed-vpn":   modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;

000 "routed-vpn":   labeled_ipsec:no;

000 "routed-vpn":   policy_label:unset;

000 "routed-vpn":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2;

000 "routed-vpn":   retransmit-interval: 500ms; retransmit-timeout: 60s;

000 "routed-vpn":   sha2_truncbug:no; initial_contact:no; cisco_unity:no;
fake_strongswan:no; send_vendorid:no;

000 "routed-vpn":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;

000 "routed-vpn":   conn_prio: 0,0; interface: eth1; metric: 0; mtu: unset;
sa_prio:auto;

000 "routed-vpn":   nflog-group: unset; mark: 5/0xffffffff, 5/0xffffffff;
vti-iface: vti01; vti-routing: no

000 "routed-vpn":   newest ISAKMP SA: #1; newest IPsec SA: #4;

000 "routed-vpn":   IKE algorithms wanted:
AES_CBC(7)_128-SHA1(2)-MODP4096(16)

000 "routed-vpn":   IKE algorithms found:
AES_CBC(7)_128-SHA1(2)-MODP4096(16)

000 "routed-vpn":   IKE algorithm newest: AES_CBC_128-SHA1-MODP4096

000 "routed-vpn":   ESP algorithms wanted: AES(12)_128-SHA1(2)

000 "routed-vpn":   ESP algorithms loaded: AES(12)_128-SHA1(2)

000 "routed-vpn":   ESP algorithm newest: AES_128-HMAC_SHA1;
pfsgroup=<Phase1>

000

000 Total IPsec connections: loaded 1, active 1

000

000 State Information: DDoS cookies not required, Accepting new IKE
connections

000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)

000 IPsec SAs: total(3), authenticated(3), anonymous(0)

000

000 #4: "routed-vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26925s; newest IPSEC; eroute owner; isakmp#1; idle;
import:admin initiate

000 #4: "routed-vpn" esp.960cd38b at 10.2.128.241 esp.1b993deb at 10.2.128.240
tun.0 at 10.2.128.241 tun.0 at 10.2.128.240 ref=0 refhim=4294901761 Traffic:
ESPin=0B ESPout=0B! ESPmax=4194303B

000 #3: "routed-vpn":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 27570s; isakmp#1; idle; import:admin initiate

000 #3: "routed-vpn" esp.54d07c6c at 10.2.128.241 esp.6e518193 at 10.2.128.240
tun.0 at 10.2.128.241 tun.0 at 10.2.128.240 ref=0 refhim=4294901761 Traffic:
ESPin=0B ESPout=0B! ESPmax=4194303B

000 #2: "routed-vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26843s; isakmp#1; idle; import:admin initiate

000 #2: "routed-vpn" esp.72086792 at 10.2.128.241 esp.d687041d at 10.2.128.240
tun.0 at 10.2.128.241 tun.0 at 10.2.128.240 ref=0 refhim=4294901761 Traffic:
ESPin=0B ESPout=0B! ESPmax=4194303B

000 #1: "routed-vpn":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1402s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate



>
> what is the ip_vti0 here?
>>
>
> It's a kernel module thingy which you can ignore.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160706/29f41e26/attachment-0001.html>

More information about the Swan mailing list