[Swan] VTI issue to SRX unable to send traffic through the interface

[Paul Wouters]

On Wed, 1 Nov 2017, Paul Tran wrote:

> Thanks for looking at things. You mentioned I would need to have a "key" entry matching the mark number in your
> config (5). I am trying to find out how I would define that key entry in the config I am reading the
> https://libreswan.org/man/ipsec.conf.5.html and not sure what I am missing.
> I also looked at other configs that people said they had working but still didn't see what I needed to add.
> 
> The information you asked about is below but I am not seeing anything that points me in a direction.
> 
> 
> IP tunnel
> 
> vti201: ip/ip  remote 102.167.4.2  local 172.31.140.0  ttl inherit  key 5

At the end of the line you see "key 5" which matches your mark=5. So
everything you route into this device will gain that mark value of 5,
and then it would match the ip xfrm policy rule and get encrypted.
(provided the source/dest also falls within that policy)

> Pluto ipsec.conf syntax                                 [OK]
> Two or more interfaces found, checking IP forwarding    [OK]
> Checking rp_filter                                      [ENABLED]
>  /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
>  /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
>  /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
>  /proc/sys/net/ipv4/conf/eth1/rp_filter                 [ENABLED]
>  /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
>  /proc/sys/net/ipv4/conf/tun0/rp_filter                 [ENABLED]
>   rp_filter is not fully aware of IPsec and should be disabled

I would try disabling rp_filter because it might be causing your packets
to be dropped.

> I also disabled rf_filter via sysctl.conf for everything temporarily and still nothing.
> 
>  ping 192.168.10.1
> PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
> From 192.168.10.2 icmp_seq=1 Destination Host Unreachable
> From 192.168.10.2 icmp_seq=2 Destination Host Unreachable
> 
> Route table shows
> 192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 vti201
> 192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 vti201
> 
> vti201: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 8981
>         inet 192.168.10.2  netmask 255.255.255.0  destination 192.168.10.2
>         tunnel   txqueuelen 1  (IPIP Tunnel)
>         RX packets 0  bytes 0 (0.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 0  bytes 0 (0.0 B)
>         TX errors 19  dropped 0 overruns 0  carrier 19  collisions 0

It shows TX errors, so it seemed to have gotten dropped. Check out:

cat /proc/net/xfrm_stat

Paul