[Swan] VTI support

Xinwei Hong xhong at skytap.com
Tue Aug 2 18:57:28 UTC 2016 

I updated my system to Ubuntu 16.04 (linux 4.4.0-31-generic) and iproute2
4.5.
With similar configuration, I got:

002 "routed-vpn" #1: initiating Main Mode
104 "routed-vpn" #1: STATE_MAIN_I1: initiate
003 "routed-vpn" #1: ignoring informational payload NO_PROPOSAL_CHOSEN,
msgid=00000000, length=12
003 "routed-vpn" #1: received and ignored informational message
010 "routed-vpn" #1: STATE_MAIN_I1: retransmission; will wait 500ms for
response
...
003 "routed-vpn" #1: ignoring informational payload NO_PROPOSAL_CHOSEN,
msgid=00000000, length=12
003 "routed-vpn" #1: received and ignored informational message
031 "routed-vpn" #1: max number of retransmissions (8) reached
STATE_MAIN_I1.  No response (or no acceptable response) to our first IKEv1
message
000 "routed-vpn" #1: starting keying attempt 2 of at most 2, but releasing
whack

Ipsec status shows following:

000 "routed-vpn": 0.0.0.0/0===192.168.0.20
<192.168.0.20>...192.168.0.21<192.168.0.21>===0.0.0.0/0; unrouted; eroute
owner: #0
000 "routed-vpn":     oriented; my_ip=unset; their_ip=unset
000 "routed-vpn":   xauth us:none, xauth them:none,  my_username=[any];
their_username=[any]
000 "routed-vpn":   modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "routed-vpn":   labeled_ipsec:no;
000 "routed-vpn":   policy_label:unset;
000 "routed-vpn":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2;
000 "routed-vpn":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "routed-vpn":   sha2-truncbug:no; initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "routed-vpn":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "routed-vpn":   conn_prio: 0,0; interface: ens35; metric: 0; mtu:
unset; sa_prio:auto; sa_tfc:none;
000 "routed-vpn":   nflog-group: unset; mark: 5/0xffffffff, 5/0xffffffff;
vti-iface:vti01; vti-routing:no; vti-shared:no;
000 "routed-vpn":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "routed-vpn":   IKE algorithms wanted:
AES_CBC(7)_128-SHA1(2)-MODP4096(16)
000 "routed-vpn":   IKE algorithms found:
AES_CBC(7)_128-SHA1(2)-MODP4096(16)
000 "routed-vpn":   ESP algorithms wanted: AES(12)_128-SHA1(2)
000 "routed-vpn":   ESP algorithms loaded: AES(12)_128-SHA1(2)

Do you have any pointer what's wrong here?

Thanks,
Xinwei

On Sat, Jul 9, 2016 at 1:06 AM, Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 8 Jul 2016, Xinwei Hong wrote:
>
> Is it possible to provide the exact requirements for this feature? which
>> kernel version and which iproute2 version? We want to push this feature to
>> our production and would need to do
>> packaging ourselves.
>>
>
> If I had known it, I would have told you. I just know the versions we
> started testing with and those work for sure.
>
> Also, we currently use racoon+netkey to do policy-based vpn and
>> pluto+klips to do route-based vpn. With this new feature, will we be able
>> to do both with pluto+netkey? How to do
>> policy-based VPN without racoon?
>>
>
> Yes you should be able to do both.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160802/23e99283/attachment.html>

More information about the Swan mailing list