[Swan] VTI issue to SRX unable to send traffic through the interface

Paul Tran ptran6308 at gmail.com
Tue Oct 31 12:56:07 UTC 2017 

Hello,

Currently, I have a VTI interface on CentOS7 going to a Juniper SRX. The
tunnel shows up with both IKE and IPSEC SA's established and the IPSEC
SPI's matching on both sides.

The Centos box has IPTABLES wide open current and selinux has been disabled
temporarily to ensure they aren't impacting anything. The CENTOS box sits
behind NAT.

SRX(104.167.4.2) to 34.204.126.142 <Nat> to (172.31.140.0) Centos

VTI interfaces and ST interface on the srx set to IPs on the 192.168.10.0/24
network

I have users sitting on 10.8.0.0/24 that I am trying to have use this
tunnel that are connected off of the CENTOS box.

The issue I see no bytes transversing the VTI interface. When I ping from
the SRX to the VTI interface I see the RX error incrementing but I get no
response from the IP associated with the VTI interface. When I attempt to
send pings to the SRX interface, I get TX errors on the VTI interface. The
IP XFRM doesn't show a ESP SPI value but does show a REQ ID which is below.
I am not sure if the value should show there or not as well. I also can't
ping from a 10.8.x.x address across the VTI either.

I am new to LIBRESWAN and would appreciate any help getting this issue
resolved. I am sure its probably something I haven't configured correctly
or overlooked but I am not knowledgeable enough to see what it is.

Below is some information from my CENOS box.

Paul

ipsec whack --trafficstatus
006 #41: "SRX", type=ESP, add_time=0, inBytes=0, outBytes=0,
id='104.167.4.2'

============
ipsec status
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE
connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #41: "SRX":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE
in 2129s; newest IPSEC; eroute owner; isakmp#40; idle; import:admin initiate
000 #41: "SRX" esp.f9f094b7 at 102.167.4.2 esp.a8a78361 at 172.31.140.0
tun.0 at 102.167.4.2 tun.0 at 172.31.140.0 ref=0 refhim=0 Traffic: ESPin=0B
ESPout=0B! ESPmax=4194303B
000 #40: "SRX":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 155s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate
===============
Ifconfig
vti201: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 8981
        inet 192.168.10.2  netmask 255.255.255.0  destination 192.168.10.1
        tunnel   txqueuelen 1  (IPIP Tunnel)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  colliconn SRX
================
IPSECON.CONF config
  authby=secret
  #aggressive=no
  #type=tunnel
  left=172.31.140.0
   leftid=34.204.126.142
  right=102.167.4.2
  auto=start
  mark=5/0xfffffff
  keyingtries=%forever
  rightsubnet=0.0.0.0/24
  leftsubnet=10.8.0.0/24
  ike=aes-sha1;modp1536
  phase2=esp
  phase2alg=aes256-sha1;modp1536
  vti-interface=vti201
  vti-routing=yes
  leftvti=192.168.10.2/24


ip -s xfrm policy

src 10.8.0.0/24 dst 0.0.0.0/24 uid 0
        dir out action allow index 625 priority 2344 ptype main share any
flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-10-31 12:22:43 use -
        mark 5/0xfffffff
        tmpl src 172.31.140.0 dst 102.167.4.2
                proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode
tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffffsrc
0.0.0.0/24 dst 10.8.0.0/24 uid 0
        dir fwd action allow index 642 priority 2344 ptype main share any
flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-10-30 20:39:08 use -
        mark 5/0xfffffff
        tmpl src 102.167.4.2 dst 172.31.140.0
                proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode
tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171031/9f7b0d11/attachment.html>

More information about the Swan mailing list