[Swan] vxlan support
antonio
asilva at wirelessmundi.com
Sat May 12 15:10:33 UTC 2018
Hi,
Thanks Paul, this work defined but i think i found a issue, the
left/right protocol are not respected... and so the tunnels are partial
up and i cannot send vxlan traffic through the vpn.
My current conf is (boxA and boxB - reverted left/right params):
conn ipsec9convxlanout
also=ipsec9convxlan
leftprotoport=17/0
rightprotoport=17/4789
auto=start
conn ipsec9convxlanin
also=ipsec9convxlan
leftprotoport=17/4789
rightprotoport=17/0
auto=start
conn ipsec9convxlan
type=transport
leftrsasigkey=%cert
leftcert=LabVxLANandDemoVxLAN
rightrsasigkey=%cert
leftid=@LabVxLAN
left=192.168.1.108
right=20.20.10.4
rightid=@DemoVxLAN
dpddelay=30
dpdtimeout=60
dpdaction=restart
My left side is behind NAT and i cannot force port 500 or 4500 to
libreswan box, so i end up with partial tunnels up.
left both conns are up:
ipsec whack --trafficstatus
006 #3: "ipsec1convxlanin", type=ESP, add_time=1526136419, inBytes=0,
outBytes=0, id='@LabVxLAN'
006 #2: "ipsec1convxlanout", type=ESP, add_time=1526136418, inBytes=0,
outBytes=0, id='@LabVxLAN'
right side is wrong:
ipsec whack --trafficstatus
006 #6: "ipsec9convxlanin", type=ESP, add_time=1526136418, inBytes=0,
outBytes=0, id='@DemoVxLAN'
006 #7: "ipsec9convxlanin", type=ESP, add_time=0, inBytes=0, outBytes=0,
id='@DemoVxLAN'
/Expected:ipsec whack --trafficstatus
006 #6: "ipsec9convxlanin", type=ESP, add_time=1526136418, inBytes=0,
outBytes=0, id='@DemoVxLAN'
006 #7: "ipsec9convxlanout", type=ESP, add_time=//1526136418, inBytes=0,
outBytes=0, id='@DemoVxLAN'/
When connecting the ipsec1convxlanout from left side it detects the
connection as ipsec9convxlanin....
If i can "dial out" from the right to the left side (removing the nat
issue), all is ok.
Can i do this with my current configuration? Or i should defined two
different connections (different ids)?
On 01/25/2018 03:39 PM, Paul Wouters wrote:
> On Tue, 23 Jan 2018, António Silva wrote:
>
>> I try to set the leftprotoport / rightprotoport=udp/4789 , i can ping
>> the ip on boxB going trough the vxlan but the traffic is not encrypted..
>
> Well yes, ping does not use udp port 4789 :)
>
>> Sowmini, you suggest using two tunnels, how should they be?
>
>> conn boxA
> [...]
>> leftprotoport=udp/4789
>> rightprotoport=udp/4789
>
> I think you want:
>
> conn boxA-out
> [...]
> leftprotoport=udp
> rightprotoport=udp/4789
>
> conn boxA-in
> [...]
> leftprotoport=udp/4789
> rightprotoport=udp
>
> That covers two flows, any ephemeral port to remote udp 4789
> and any ephemeral port from remote to local udp 4789
>
> Paul
--
Saludos / Regards / Cumprimentos
Anónio Silva
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180512/8cebe9d5/attachment.html>
More information about the Swan
mailing list