[Swan] Various problems with VTI on Gentoo (with Cisco IOS as a client)
Reuben Farrelly
reuben-libreswan at reub.net
Mon Sep 19 11:50:55 UTC 2016
Hi,
I've been experimenting today with Vti based configuration and run into
a few problems.
My head end is a Gentoo Linux box running up to date versions of tools
and running libreswan-git as of today. The box is a Linode VM with a
public IPv4 and IPv6 address. The VM is running a Linux 4.7.3 kernel.
lightning pluto # ip -V
ip utility, iproute2-ss160808
lightning pluto #
The client side is a Cisco IOS router running 16.6(3)M.
On the Cisco side I've got a working config already running for an IPSec
connection to another appliance (a Palo Alto firewall). It is only the
connection to the Libreswan box that I am having problems with and it
looks like the problems are all Libreswan specific.
1. The first problem is when the IPSec completes negotiation. As soon
as the IPsec connects up, I lose all IPv4 access to the remote box.
This is made even worse because the public route to the client is also
wiped out, so the IPsec session basically kills the connectivity to the
box including that of the IPsec session due to a recursive routing loop
and more specific /1's for the global routing table:
lightning ~ # ip route
0.0.0.0/1 dev vti01 scope link src 192.168.6.1 mtu 1438
default via 139.162.51.1 dev eth0 metric 3
127.0.0.0/8 dev lo scope host
127.0.0.0/8 via 127.0.0.1 dev lo
128.0.0.0/1 dev vti01 scope link src 192.168.6.1 mtu 1438
139.162.51.0/24 dev eth0 proto kernel scope link src 139.162.51.249
lightning ~ #
Even with: vti-routing=no I still see these routes appear, and
experience this problem.
2. What I would ideally like to do is have a tunnel interface on the
Cisco, and number it with 192.168.6.2/30. Ideally then on the Libreswan
box I would set 192.168.6.1/30 which would give me a proper traditional
numbered link. I only need connectivity across the directly connected
subnet (don't want or need any other routes to be reachable just yet -
I'm NATting for this purpose in the meantime).
The Cisco insists on 0.0.0.0/0 as the src and dst proxy IDs for these
sorts of VTI connections on it's side.
Using a /30 seems to be the most intuitive way from a routing
perspective at least, but it's not obvious how to configure the /30
bearing in mind the 0/0 proxy-id requirement.
How would I configure Libreswan to work in this way? [This would allow
me to match the config I have on the other IPsec Palo Alto head end, and
consistency is a great thing!]
3. I am seeing packets leave the Cisco across the Cisco Tunnel
interface, and I am seeing these packets enter the Libreswan vti.
However every single one of them is being dropped:
lightning pluto # ifconfig vti01
vti01: flags=193<UP,RUNNING,NOARP> mtu 1428
tunnel txqueuelen 1 (IPIP Tunnel)
RX packets 0 bytes 0 (0.0 B)
RX errors 5257 dropped 5257 overruns 0 frame 0
TX packets 2236 bytes 568568 (555.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lightning pluto #
The TX packets were from me doing pings from the head end. The Cisco
never sees any packets input but sees lots of packets output.
Tested without iptables as well, so that isn't the issue.
What would cause this?
4. Possibly related to (3) are these two tunnel types actually the same?
22: vti01 at NONE: <NOARP,UP,LOWER_UP> mtu 1428 qdisc noqueue state UNKNOWN
mode DEFAULT group default qlen 1
link/ipip 139.162.51.249 brd 0.0.0.0
and on the Cisco:
router-2#show int tun 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Description: Libreswan site-to-site IKEv2 VPN
Internet address is 192.168.6.2/32
MTU 17862 bytes, BW 256 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 10.100.37.15 (Cellular0), destination 139.162.51.249
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with Cellular0
Set of tunnels with source Cellular0, 2 members (includes
iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
So one is IP/IP and the other is IPSEC/IP. Is this expected?
The libreswan config looks like this:
conn router-2.reub.net
left=139.162.51.249
leftid=@lightning.reub.net
leftsubnet=0.0.0.0/0
leftsourceip=192.168.6.1
right=%any
rightid=router-2 at reub.net
rightsubnet=0.0.0.0/0
authby=secret
ikev2=insist
ikelifetime=86400s
salifetime=3600s
ike=aes256-sha1;modp1536
phase2alg=aes128-sha1;modp1536
mtu=1438
dpddelay=15
dpdtimeout=45
dpdaction=clear
auto=add
mark=12/0xffffff
vti-interface=vti01
vti-routing=no
vti-shared=yes
A tcpdump output shows the same, ie lots of packets dropped by the
interface with no obvious reason why.
Logs (ie pluto.log and from the Cisco) are very verbose, if there are of
use then perhaps I can send through the relevant bits and pieces.
The ikev2 session is however up, so we're almost at a working state:
router-2# show crypto ikev2 session detailed
IPv4 Crypto IKEv2 Session
Session-id:19, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf
Status
1 10.100.37.15/4500 139.162.51.249/4500 none/none
READY
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:5,
Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3850 sec
CE id: 2585, Session-id: 19
Status Description: Negotiation done
Local spi: D92301DC166D08E1 Remote spi: B17833A6ED12E5C2
Local id: router-2 at reub.net
Remote id: lightning.reub.net
Local req msg id: 255 Remote req msg id: 219
Local next msg id: 255 Remote next msg id: 219
Local req queued: 255 Remote req queued: 219
Local window: 5 Remote window: 1
DPD configured for 15 seconds, retry 2
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0xE6E04BB5/0x3D26C686
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 128, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
IPv6 Crypto IKEv2 Session
router-2#
Any advice would be appreciated. I guess by using Cisco IOS and Gentoo
Linux I am not running an entirely standard combination of client+server
but nevertheless it would be good to be able to get this working, and to
have Gentoo be a working OS with VTI.
Thanks,
Reuben
More information about the Swan
mailing list