[Swan] vxlan support

antonio asilva at wirelessmundi.com
Sat May 12 15:10:33 UTC 2018 

Hi,

Thanks Paul, this work defined but i think i found a issue, the 
left/right protocol are not respected... and so the tunnels are partial 
up and i cannot send vxlan traffic through the vpn.


My current conf is (boxA and boxB - reverted left/right params):

conn ipsec9convxlanout
         also=ipsec9convxlan
         leftprotoport=17/0
         rightprotoport=17/4789
         auto=start

conn ipsec9convxlanin
         also=ipsec9convxlan
         leftprotoport=17/4789
         rightprotoport=17/0
         auto=start

conn ipsec9convxlan
         type=transport
         leftrsasigkey=%cert
         leftcert=LabVxLANandDemoVxLAN
         rightrsasigkey=%cert
         leftid=@LabVxLAN
         left=192.168.1.108
         right=20.20.10.4
         rightid=@DemoVxLAN
         dpddelay=30
         dpdtimeout=60
         dpdaction=restart


My left side is behind NAT and i cannot force port 500 or 4500 to 
libreswan box, so i end up with partial tunnels up.

left both conns are up:

ipsec whack --trafficstatus
006 #3: "ipsec1convxlanin", type=ESP, add_time=1526136419, inBytes=0, 
outBytes=0, id='@LabVxLAN'
006 #2: "ipsec1convxlanout", type=ESP, add_time=1526136418, inBytes=0, 
outBytes=0, id='@LabVxLAN'


right side is wrong:
ipsec whack --trafficstatus
006 #6: "ipsec9convxlanin", type=ESP, add_time=1526136418, inBytes=0, 
outBytes=0, id='@DemoVxLAN'
006 #7: "ipsec9convxlanin", type=ESP, add_time=0, inBytes=0, outBytes=0, 
id='@DemoVxLAN'

/Expected:ipsec whack --trafficstatus
006 #6: "ipsec9convxlanin", type=ESP, add_time=1526136418, inBytes=0, 
outBytes=0, id='@DemoVxLAN'
006 #7: "ipsec9convxlanout", type=ESP, add_time=//1526136418, inBytes=0, 
outBytes=0, id='@DemoVxLAN'/


When connecting the ipsec1convxlanout from left side it detects the 
connection as ipsec9convxlanin....

If i can "dial out" from the right to the left side (removing the nat 
issue), all is ok.


Can i do this with my current configuration? Or i should defined two 
different connections (different ids)?



On 01/25/2018 03:39 PM, Paul Wouters wrote:
> On Tue, 23 Jan 2018, António Silva wrote:
>
>> I try to set the leftprotoport / rightprotoport=udp/4789 , i can ping 
>> the ip on boxB going trough the vxlan but the traffic is not encrypted..
>
> Well yes, ping does not use udp port 4789 :)
>
>> Sowmini, you suggest using two tunnels, how should they be?
>
>> conn boxA
> [...]
>>     leftprotoport=udp/4789
>>     rightprotoport=udp/4789
>
> I think you want:
>
> conn boxA-out
>     [...]
>     leftprotoport=udp
>     rightprotoport=udp/4789
>
> conn boxA-in
>     [...]
>     leftprotoport=udp/4789
>     rightprotoport=udp
>
> That covers two flows, any ephemeral port to remote udp 4789
> and any ephemeral port from remote to local udp 4789
>
> Paul

-- 
Saludos / Regards / Cumprimentos
Anónio Silva

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180512/8cebe9d5/attachment.html>

More information about the Swan mailing list