[Swan] VTI issue to SRX unable to send traffic through the interface
Paul Wouters
paul at nohats.ca
Wed Nov 1 08:05:56 UTC 2017
On Tue, 31 Oct 2017, Paul Tran wrote:
> VTI interfaces and ST interface on the srx set to IPs on the 192.168.10.0/24 network
>
> I have users sitting on 10.8.0.0/24 that I am trying to have use this tunnel that are connected off of the CENTOS box.
> Ifconfig
> vti201: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8981
> inet 192.168.10.2 netmask 255.255.255.0 destination 192.168.10.1
> tunnel txqueuelen 1 (IPIP Tunnel)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 colliconn SRX
Can you also show: ip tun
It would need to have a "key" entry matching the mark number in your
config (5)
> IPSECON.CONF config
> authby=secret
> #aggressive=no
> #type=tunnel
> left=172.31.140.0
> leftid=34.204.126.142
> right=102.167.4.2
> auto=start
> mark=5/0xfffffff
> keyingtries=%forever
> rightsubnet=0.0.0.0/24
> leftsubnet=10.8.0.0/24
> ike=aes-sha1;modp1536
> phase2=esp
> phase2alg=aes256-sha1;modp1536
> vti-interface=vti201
> vti-routing=yes
> leftvti=192.168.10.2/24
This looks fine.
>
> ip -s xfrm policy
>
> src 10.8.0.0/24 dst 0.0.0.0/24 uid 0
> dir out action allow index 625 priority 2344 ptype main share any flag (0x00000000)
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2017-10-31 12:22:43 use -
> mark 5/0xfffffff
Looks okay too.
So I'm not sure what is going on. It might not be mark related? Check
"ipsec verify" for errors, eg rp_filter settings or ip_forwarding
settings?
Paul
More information about the Swan
mailing list