[Swan] Host-to-host tunnel and VTI

Erik Andersson erik at ingate.com
Mon Mar 5 17:34:17 UTC 2018


Hi,

I'm running Fedora 26 with libreswan 3.23 and trying to setup a 
host-to-host tunnel using the VTI functionality.

Host A 10.48.28.81

ipsec.conf

config setup
	logfile=/var/log/pluto.log

conn myvpn
	left=10.48.28.81
	right=10.48.28.82
	authby=secret
	auto=start
	mark=5/0xffffffff
	vti-interface=ipsec0
	vti-routing=yes

Host B 10.48.28.82

ipsec.conf

config setup
	logfile=/var/log/pluto.log

conn myvpn
	left=10.48.28.82
	right=10.48.28.81
	authby=secret
	auto=start
	mark=5/0xffffffff
	vti-interface=ipsec0
	vti-routing=yes

The routes to the ipsec0 interfaces are created:

On A:

# ip -4 r show table unspec | grep ipsec
10.48.28.82 dev ipsec0 scope link

On B:

# ip -4 r show table unspec | grep ipsec
10.48.28.81 dev ipsec0 scope link

On both endpoints I see the following message in pluto.log:

Mar  5 18:07:08.024994: initiate on demand from 10.48.28.81:500 to 
10.48.28.82:500 proto=17 because: acquire

and

Mar  5 17:54:10.820913: initiate on demand from 10.48.28.82:500 to 
10.48.28.81:500 proto=17 because: acquire

The end of the ipsec status command output yields:

On A:

000 Bare Shunt list:
000
000 10.48.28.81/32:500 -17-> 10.48.28.82/32:500 => %hold 0 
%acquire-netlink

On B:

000 Bare Shunt list:
000
000 10.48.28.82/32:500 -17-> 10.48.28.81/32:500 => %hold 0 
%acquire-netlink

Kernel state on A:

# ip -s x s
src 10.48.28.81 dst 10.48.28.82
	proto esp spi 0x00000000(0) reqid 0(0x00000000) mode transport
	replay-window 0 seq 0x00000003 flag  (0x00000000)
	mark 0x5/0xffffffff
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
	sel src 10.48.28.81/32 dst 10.48.28.82/32 proto udp sport 500 dport 500 
dev ipsec0 uid 0
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 300(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2018-03-05 18:17:48 use -
	stats:
	  replay-window 0 replay 0 failed 0

Kernel state on B:

# ip -s x s
src 10.48.28.82 dst 10.48.28.81
	proto esp spi 0x00000000(0) reqid 0(0x00000000) mode transport
	replay-window 0 seq 0x00000005 flag  (0x00000000)
	mark 0x5/0xffffffff
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
	sel src 10.48.28.82/32 dst 10.48.28.81/32 proto udp sport 500 dport 500 
dev ipsec0 uid 0
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 300(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2018-03-05 18:15:32 use -
	stats:
	  replay-window 0 replay 0 failed

Kernel policy on A:

# ip -s x p
src 10.48.28.81/32 dst 10.48.28.82/32 uid 0
	dir out action allow index 161 priority 2080 ptype main share any flag 
(0x00000000)
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2018-03-05 18:07:07 use -
	mark 0x5/0xffffffff
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp spi 0x00000000(0) reqid 0(0x00000000) mode transport
		level required share any
		enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

Kernel policy on B:

# ip -s x p
src 10.48.28.82/32 dst 10.48.28.81/32 uid 0
	dir out action allow index 161 priority 2080 ptype main share any flag 
(0x00000000)
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2018-03-05 17:54:10 use -
	mark 0x5/0xffffffff
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp spi 0x00000000(0) reqid 0(0x00000000) mode transport
		level required share any
		enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff


Is this setup/configuration even possible? Maybe I'm missing some 
fundamentals here :)

I've successfully got VTI to work with a subnet-to-subnet configuration 
(left/rightsubnet).

Any suggestions much appreciated.

Thanks,

Erik


More information about the Swan mailing list