[Swan] VTI issue to SRX unable to send traffic through the interface
Paul Wouters
paul at nohats.ca
Wed Nov 1 14:10:16 UTC 2017
On Wed, 1 Nov 2017, Paul Tran wrote:
> Thanks for looking at things. You mentioned I would need to have a "key" entry matching the mark number in your
> config (5). I am trying to find out how I would define that key entry in the config I am reading the
> https://libreswan.org/man/ipsec.conf.5.html and not sure what I am missing.
> I also looked at other configs that people said they had working but still didn't see what I needed to add.
>
> The information you asked about is below but I am not seeing anything that points me in a direction.
>
>
> IP tunnel
>
> vti201: ip/ip remote 102.167.4.2 local 172.31.140.0 ttl inherit key 5
At the end of the line you see "key 5" which matches your mark=5. So
everything you route into this device will gain that mark value of 5,
and then it would match the ip xfrm policy rule and get encrypted.
(provided the source/dest also falls within that policy)
> Pluto ipsec.conf syntax [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/tun0/rp_filter [ENABLED]
> rp_filter is not fully aware of IPsec and should be disabled
I would try disabling rp_filter because it might be causing your packets
to be dropped.
> I also disabled rf_filter via sysctl.conf for everything temporarily and still nothing.
>
> ping 192.168.10.1
> PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
> From 192.168.10.2 icmp_seq=1 Destination Host Unreachable
> From 192.168.10.2 icmp_seq=2 Destination Host Unreachable
>
> Route table shows
> 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 vti201
> 192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 vti201
>
> vti201: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8981
> inet 192.168.10.2 netmask 255.255.255.0 destination 192.168.10.2
> tunnel txqueuelen 1 (IPIP Tunnel)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 19 dropped 0 overruns 0 carrier 19 collisions 0
It shows TX errors, so it seemed to have gotten dropped. Check out:
cat /proc/net/xfrm_stat
Paul
More information about the Swan
mailing list