[Swan] Various problems with VTI on Gentoo (with Cisco IOS as a client)

Reuben Farrelly reuben-libreswan at reub.net
Mon Sep 19 11:50:55 UTC 2016


I've been experimenting today with Vti based configuration and run into 
a few problems.

My head end is a Gentoo Linux box running up to date versions of tools 
and running libreswan-git as of today.  The box is a Linode VM with a 
public IPv4 and IPv6 address.  The VM is running a Linux 4.7.3 kernel.

lightning pluto # ip -V
ip utility, iproute2-ss160808
lightning pluto #

The client side is a Cisco IOS router running 16.6(3)M.

On the Cisco side I've got a working config already running for an IPSec 
connection to another appliance (a Palo Alto firewall).  It is only the 
connection to the Libreswan box that I am having problems with and it 
looks like the problems are all Libreswan specific.

1. The first problem is when the IPSec completes negotiation.  As soon 
as the IPsec connects up, I lose all IPv4 access to the remote box. 
This is made even worse because the public route to the client is also 
wiped out, so the IPsec session basically kills the connectivity to the 
box including that of the IPsec session due to a recursive routing loop 
and more specific /1's for the global routing table:

lightning ~ # ip route dev vti01  scope link  src  mtu 1438
default via dev eth0  metric 3 dev lo  scope host via dev lo dev vti01  scope link  src  mtu 1438 dev eth0  proto kernel  scope link  src
lightning ~ #

Even with:  vti-routing=no  I still see these routes appear, and 
experience this problem.

2. What I would ideally like to do is have a tunnel interface on the 
Cisco, and number it with  Ideally then on the Libreswan 
box I would set which would give me a proper traditional 
numbered link.  I only need connectivity across the directly connected 
subnet (don't want or need any other routes to be reachable just yet - 
I'm NATting for this purpose in the meantime).

The Cisco insists on as the src and dst proxy IDs for these 
sorts of VTI connections on it's side.

Using a /30 seems to be the most intuitive way from a routing 
perspective at least, but it's not obvious how to configure the /30 
bearing in mind the 0/0 proxy-id requirement.

How would I configure Libreswan to work in this way?  [This would allow 
me to match the config I have on the other IPsec Palo Alto head end, and 
consistency is a great thing!]

3. I am seeing packets leave the Cisco across the Cisco Tunnel 
interface, and I am seeing these packets enter the Libreswan vti. 
However every single one of them is being dropped:

lightning pluto # ifconfig vti01
vti01: flags=193<UP,RUNNING,NOARP>  mtu 1428
         tunnel   txqueuelen 1  (IPIP Tunnel)
         RX packets 0  bytes 0 (0.0 B)
         RX errors 5257  dropped 5257  overruns 0  frame 0
         TX packets 2236  bytes 568568 (555.2 KiB)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lightning pluto #

The TX packets were from me doing pings from the head end.  The Cisco 
never sees any packets input but sees lots of packets output.

Tested without iptables as well, so that isn't the issue.

What would cause this?

4. Possibly related to (3) are these two tunnel types actually the same?

22: vti01 at NONE: <NOARP,UP,LOWER_UP> mtu 1428 qdisc noqueue state UNKNOWN 
mode DEFAULT group default qlen 1
     link/ipip brd

and on the Cisco:

router-2#show int tun 1
Tunnel1 is up, line protocol is up
   Hardware is Tunnel
   Description: Libreswan site-to-site IKEv2 VPN
   Internet address is
   MTU 17862 bytes, BW 256 Kbit/sec, DLY 50000 usec,
      reliability 255/255, txload 1/255, rxload 1/255
   Encapsulation TUNNEL, loopback not set
   Keepalive not set
   Tunnel linestate evaluation up
   Tunnel source (Cellular0), destination
    Tunnel Subblocks:
          Tunnel1 source tracking subblock associated with Cellular0
           Set of tunnels with source Cellular0, 2 members (includes 
iterators), on interface <OK>
   Tunnel protocol/transport IPSEC/IP

So one is IP/IP and the other is IPSEC/IP.  Is this expected?

The libreswan config looks like this:

conn router-2.reub.net
         rightid=router-2 at reub.net

A tcpdump output shows the same, ie lots of packets dropped by the 
interface with no obvious reason why.

Logs (ie pluto.log and from the Cisco) are very verbose, if there are of 
use then perhaps I can send through the relevant bits and pieces.

The ikev2 session is however up, so we're almost at a working state:

router-2# show crypto ikev2 session detailed
  IPv4 Crypto IKEv2 Session

Session-id:19, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf 
1   none/none 
       Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:5, 
Auth sign: PSK, Auth verify: PSK
       Life/Active Time: 86400/3850 sec
       CE id: 2585, Session-id: 19
       Status Description: Negotiation done
       Local spi: D92301DC166D08E1       Remote spi: B17833A6ED12E5C2
       Local id: router-2 at reub.net
       Remote id: lightning.reub.net
       Local req msg id:  255            Remote req msg id:  219
       Local next msg id: 255            Remote next msg id: 219
       Local req queued:  255            Remote req queued:  219
       Local window:      5              Remote window:      1
       DPD configured for 15 seconds, retry 2
       Fragmentation not  configured.
       Extended Authentication not configured.
       NAT-T is detected inside
       Cisco Trust Security SGT is disabled
       Initiator of SA : Yes
Child sa: local selector -
           remote selector -
           ESP spi in/out: 0xE6E04BB5/0x3D26C686
           AH spi in/out: 0x0/0x0
           CPI in/out: 0x0/0x0
           Encr: AES-CBC, keysize: 128, esp_hmac: SHA96
           ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

  IPv6 Crypto IKEv2 Session


Any advice would be appreciated.  I guess by using Cisco IOS and Gentoo 
Linux I am not running an entirely standard combination of client+server 
but nevertheless it would be good to be able to get this working, and to 
have Gentoo be a working OS with VTI.


More information about the Swan mailing list