[Swan] Various problems with VTI on Gentoo (with Cisco IOS as a client)
Reuben Farrelly
reuben-libreswan at reub.net
Tue Sep 27 08:58:08 UTC 2016
Hi,
On 26/09/2016 6:13 AM, Tuomo Soini wrote:
> On Mon, 19 Sep 2016 21:50:55 +1000
> Reuben Farrelly <reuben-libreswan at reub.net> wrote:
>
>> Hi,
>>
>> I've been experimenting today with Vti based configuration and run
>> into a few problems.
>>
>> The libreswan config looks like this:
>>
>> conn router-2.reub.net
>> left=139.162.51.249
>> leftid=@lightning.reub.net
>> leftsubnet=0.0.0.0/0
>> leftsourceip=192.168.6.1
> ^^^^^^^^^^^^^^^^^^^^^^^^
> Here is your config error. That always causes routing. So
> vti-routing=no below is ignored because sourceip functionality doesn't
> work at all without routing which forces routing.
Unfortunately this hasn't fixed the problem with the 0.0.0.0/1 routes
being added.
Still seeing this:
lightning ~ # ip route
0.0.0.0/1 dev vti-1 scope link mtu 1438
default via 139.162.51.1 dev eth0 metric 3
127.0.0.0/8 dev lo scope host
127.0.0.0/8 via 127.0.0.1 dev lo
128.0.0.0/1 dev vti-1 scope link mtu 1438
139.162.51.0/24 dev eth0 proto kernel scope link src 139.162.51.249
192.168.6.0/30 dev vti-1 proto kernel scope link src 192.168.6.1
lightning ~ #
This is my config, which now does not have the leftsourceip specified
anywhere:
conn router-2.reub.net
left=139.162.51.249
leftid=@lightning.reub.net
leftsubnet=0.0.0.0/0
right=%any
rightid=router-2 at reub.net
rightsubnet=0.0.0.0/0
authby=secret
ikev2=insist
ikelifetime=86400s
salifetime=3600s
ike=aes256-sha1;modp1536
phase2alg=aes128-sha1;modp1536
mtu=1438
dpddelay=15
dpdtimeout=45
dpdaction=clear
auto=add
mark=12/0xffffff
vti-interface=vti-1
leftvti=192.168.6.1/30
This of course completely cuts of access via the non-VTI interface to
the box.
With or without vti-routing=no specified I still see the same problem,
ie the 0.0.0.0/1 route and 127.0.0.0/1 route added.
Reuben
More information about the Swan
mailing list