[Swan] vxlan support

antonio asilva at wirelessmundi.com
Mon May 14 12:56:54 UTC 2018


Hi Paul,

Attach the full log in boxB when connecting the remote endpoint (boxA). 
I've dynamic ip from BoxA, so i change the conf to %any in the right 
parameter.

Also from boxB to boxA i cannot start the connection because of 
firewall/NAT issue.


 From the log i see.

When remote is dialing convxlanout:

May 14 13:29:44.205380: | peer client is 10.136.31.107
May 14 13:29:44.205421: | peer client protocol/port is 17/0
May 14 13:29:44.205441: | our client is 90.175.130.18
May 14 13:29:44.205464: | our client protocol/port is 17/4789
May 14 13:29:44.205490: "ipsec9convxlanin"[1] 84.79.21.145 #1: the peer 
proposed: 90.175.130.18/32:17/4789 -> 10.136.31.107/32:17/0


When remote is dialing convxlanin:

May 14 13:29:44.217021: | peer client is 10.136.31.107
May 14 13:29:44.217041: | peer client protocol/port is 17/4789
May 14 13:29:44.217060: | our client is 90.175.130.18
May 14 13:29:44.217080: | our client protocol/port is 17/0
May 14 13:29:44.217104: "ipsec9convxlanin"[1] 84.79.21.145 #1: the peer 
proposed: 90.175.130.18/32:17/4789 -> 10.136.31.107/32:17/0

Here should it print:

May 14 13:29:44.217104: "ipsec9convxlanin"[1] 84.79.21.145 #1: the peer 
proposed: 90.175.130.18/32:17/*0* -> 10.136.31.107/32:17/*4789*



As for the counters to 0, that's another issue...but i think is related 
to the fact i'm not able to establish the convxlanout in the boxB.

Although i see the policy rules:

src 10.136.31.107/32 dst 90.175.130.18/32 proto udp dport 4789
     dir out priority 2016 ptype main
     tmpl src 0.0.0.0 dst 0.0.0.0
         proto esp reqid 16393 mode transport


and the traffic is well generated:

14:05:42.664684 Out fa:16:31:3b:f6:45 ethertype IPv4 (0x0800), length 
112: (tos 0x0, ttl 64, id 64205, offset 0, flags [none], proto UDP (17), 
length 96)
     10.136.31.107.40204 > 90.175.130.18.4789: VXLAN, flags [I] (0x08), 
vni 20


No traffic is encrypted.



On 05/13/2018 01:16 AM, Paul Wouters wrote:
> On Sat, 12 May 2018, antonio wrote:
>
>> Thanks Paul, this work defined but i think i found a issue, the 
>> left/right protocol are not respected... and
>> so the tunnels are partial up and i cannot send vxlan traffic through 
>> the vpn.
>>
>> My current conf is (boxA and boxB - reverted left/right params):
>>
>> conn ipsec9convxlanout
>>         also=ipsec9convxlan
>>         leftprotoport=17/0
>>         rightprotoport=17/4789
>>         auto=start
>>
>> conn ipsec9convxlanin
>>         also=ipsec9convxlan
>>         leftprotoport=17/4789
>>         rightprotoport=17/0
>>         auto=start
>>
>> conn ipsec9convxlan
>>         type=transport
>>         leftrsasigkey=%cert
>>         leftcert=LabVxLANandDemoVxLAN
>>         rightrsasigkey=%cert
>>         leftid=@LabVxLAN
>>         left=192.168.1.108
>>         right=20.20.10.4
>>         rightid=@DemoVxLAN
>>         dpddelay=30
>>         dpdtimeout=60
>>         dpdaction=restart
>
> That should work.
>
>>
>> My left side is behind NAT and i cannot force port 500 or 4500 to 
>> libreswan box, so i end up with partial
>> tunnels up.
>
> The NAT should not matter as long as one end is not behind NAT (or
> behind a port forward)
>
>> left both conns are up:
>>
>> ipsec whack --trafficstatus
>> 006 #3: "ipsec1convxlanin", type=ESP, add_time=1526136419, inBytes=0, 
>> outBytes=0, id='@LabVxLAN'
>> 006 #2: "ipsec1convxlanout", type=ESP, add_time=1526136418, 
>> inBytes=0, outBytes=0, id='@LabVxLAN'
>
> Although no traffic has ever matched these tunnels as the byte counters
> are all zero.
>
>>
>> right side is wrong:
>> ipsec whack --trafficstatus
>> 006 #6: "ipsec9convxlanin", type=ESP, add_time=1526136418, inBytes=0, 
>> outBytes=0, id='@DemoVxLAN'
>> 006 #7: "ipsec9convxlanin", type=ESP, add_time=0, inBytes=0, 
>> outBytes=0, id='@DemoVxLAN'
>
> That's odd. you should check the logs what happened. It looks like one
> might have replaced the other.
>
>> When connecting the  ipsec1convxlanout from left side it detects the 
>> connection as ipsec9convxlanin....
>
> During the IKE negotiation, pluto cannot yet tell which of the two will
> match. It is perfectly normal for it to "switch" from one conn to the
> other once it learns the phase2/ipsec selectors.
>
>> Can i do this with my current configuration? Or i should defined two 
>> different connections (different ids)?
>
> You can do that but it should not be needed.
>
> Paul

-- 
Saludos / Regards / Cumprimentos
Anónio Silva

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180514/f6d9198a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pluto.log
Type: text/x-log
Size: 531700 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180514/f6d9198a/attachment-0001.bin>


More information about the Swan mailing list