[Swan] VTI issue to SRX unable to send traffic through the interface

Paul Wouters paul at nohats.ca
Wed Nov 1 08:05:56 UTC 2017


On Tue, 31 Oct 2017, Paul Tran wrote:

> VTI interfaces and ST interface on the srx set to IPs on the 192.168.10.0/24 network
> 
> I have users sitting on 10.8.0.0/24 that I am trying to have use this tunnel that are connected off of the CENTOS box.

> Ifconfig
> vti201: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 8981
>         inet 192.168.10.2  netmask 255.255.255.0  destination 192.168.10.1
>         tunnel   txqueuelen 1  (IPIP Tunnel)
>         RX packets 0  bytes 0 (0.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 0  bytes 0 (0.0 B)
>         TX errors 0  dropped 0 overruns 0  carrier 0  colliconn SRX

Can you also show: ip tun

It would need to have a "key" entry matching the mark number in your
config (5)

> IPSECON.CONF config
>   authby=secret
>   #aggressive=no
>   #type=tunnel
>   left=172.31.140.0
>    leftid=34.204.126.142
>   right=102.167.4.2
>   auto=start
>   mark=5/0xfffffff
>   keyingtries=%forever
>   rightsubnet=0.0.0.0/24
>   leftsubnet=10.8.0.0/24
>   ike=aes-sha1;modp1536
>   phase2=esp
>   phase2alg=aes256-sha1;modp1536
>   vti-interface=vti201
>   vti-routing=yes
>   leftvti=192.168.10.2/24

This looks fine.

> 
> ip -s xfrm policy
> 
> src 10.8.0.0/24 dst 0.0.0.0/24 uid 0
>         dir out action allow index 625 priority 2344 ptype main share any flag  (0x00000000)
>         lifetime config:
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>           limit: soft (INF)(packets), hard (INF)(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-10-31 12:22:43 use -
>         mark 5/0xfffffff

Looks okay too.

So I'm not sure what is going on. It might not be mark related? Check
"ipsec verify" for errors, eg rp_filter settings or ip_forwarding
settings?

Paul


More information about the Swan mailing list