[Swan] Tunnel between Cisco 881 (vrf VTI) & Libreswan

Adam Tauno Williams awilliam at whitemice.org
Fri Apr 20 18:06:17 UTC 2018 

I am attempting to configure a VPN tunnel between a Libreswan host
(3.20-5, CentOS7) and a Cisco 881 router.   I want to create a VTI
interface on the CentOS7 host corresponding to a Tunnel interface on
the Cisco router [we have some relatively complicated routing].

I have been able to peer the Cisco router and the Libreswan host in a
straight-up assocation but when I attempt to change this over the a
vrf-VTI configuration I am getting stuck.


 -- from the Cisco router, which is the branch office side -- 
*Apr 20 17:56:20.730: ISAKMP:(0): beginning Main Mode exchange
*Apr 20 17:56:20.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500
peer_port 500 (I) MM_NO_STATE
*Apr 20 17:56:20.730: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 20 17:56:20.730: ISAKMP:(0):purging SA., sa=85431158,
delme=85431158
*Apr 20 17:56:30.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Apr 20 17:56:30.730: ISAKMP (0:0): incrementing error counter on sa,
attempt 1 of 5: retransmit phase 1
*Apr 20 17:56:30.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Apr 20 17:56:30.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500
peer_port 500 (I) MM_NO_STATE
*Apr 20 17:56:30.730: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 20 17:56:40.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Apr 20 17:56:40.730: ISAKMP (0:0): incrementing error counter on sa,
attempt 2 of 5: retransmit phase 1
*Apr 20 17:56:40.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Apr 20 17:56:40.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500
peer_port 500 (I) MM_NO_STATE
*Apr 20 17:56:40.730: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 20 17:56:50.726: IPSEC(key_engine): request timer fired: count =
1,
  (identity) local= X.Y.W.X, remote= A.B.C.D, 
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Apr 20 17:56:50.726: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= X.Y.W.X, remote= A.B.C.D, 
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Apr 20 17:56:50.726: ISAKMP: set new node 0 to QM_IDLE      
*Apr 20 17:56:50.726: ISAKMP:(0):SA is still budding. Attached new
ipsec request to it. (local X.Y.W.X, remote A.B.C.D)
*Apr 20 17:56:50.726: ISAKMP: Error while processing SA request: Failed
to initialize SA


-- Libreswan
conn mhhs-vti
        mark=10/0xffffff
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        left=A.B.C.D            #strongswan outside address
        leftid=A.B.C.D          #IKEID sent by strongswan
        right=X.Y.W.Z         #IOS outside address
        rightid=X.Y.W.Z       #IKEID sent by IOS
        auto=add
        vti-interface=vti01
        vti-routing=no
        #type=tunnel
        #leftvti=172.16.4.5/24

-- Cisco Router
crypto keyring branchoffice-keyring 
  pre-shared-key address A.B.C.D key CiscoCiscoCiscoCiscoCisco
!
crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 2
crypto isakmp profile branchoffice-ike
   keyring branchoffice-keyring
   match identity address A.B.C.D 255.255.255.255 RED
   isakmp authorization list default
   local-address FastEthernet4
!
crypto ipsec transform-set branchoffice-set esp-aes esp-sha-hmac 
!
crypto ipsec profile branchoffice-profile
 set transform-set branchoffice-set 
 set isakmp-profile branchoffice-ike
!
interface Tunnel0
 ip vrf forwarding GREEN
 ip address 172.16.4.4 255.255.255.0
 tunnel source FastEthernet4
 tunnel destination A.B.C.D
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile branchoffice-profile
!
interface FastEthernet4
 description internet WAN link
 ip address X.Y.W.Z 255.255.255.224
 duplex auto
 speed auto
!
interface Vlan1
 description cust1 private VRF
 ip vrf forwarding GREEN
 ip address 192.168.42.19 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.Y.W.V
ip route vrf GREEN 0.0.0.0 0.0.0.0 172.16.4.5

-- 
Meetings Coordinator, Michigan Association of Railroad Passengers
537 Shirley St NE Grand Rapids, MI 49503-1754 Phone: 616.581.8010
E-mail: awilliam at whitemice.org GPG#D95ED383 Web: http://www.marp.org

More information about the Swan mailing list