[Swan] Cisco IOS XE Interoperability with Libreswan
Paul Wouters
paul at nohats.ca
Sun Aug 19 00:05:08 UTC 2018
On Sat, 18 Aug 2018, Reuben Farrelly wrote:
>> mark=-1/0xffffffff
>> vti-interface=vti-1
>> leftvti=192.168.6.1/30
> Ok I've worked out the cause of this. The problem is the 'mark' value that I
> have configured.
> Up to and including version 3.23 this worked (or at least it didn't break
> anything).
>
>> mark=-1/0xffffffff
>
> In version 3.25 the use of -1 here seems to have broken things.
>
> After setting the mark (statically) to '1' instead of '-1' I have
> connectivity again across the IPSec tunnel.
> I think that's a bug either in the man page, or in the code ;-)
Odd, because the last change to mark was in 3.23:
* XFRM: Fix unique marks accidentally setting -1 instead of random [Paul]
Before 3.23, we did not properly set unique marks.
So my guess is, we are setting marks properly now, but in 3.25 we no
longer try to delete the vti interface, and so when you re-start
libreswan there might still be an old vti01 device left with the old
mark, and the new mark is another unique mark. And by setting a manual
mark, you caused the old and new values always to be the same.
We will have to add refcounting for vti interface usage, so we can
properly delete the VTI interface when the last tunnel using it is
brought down.
But also, unique marks was really meant for roadwarriors, not single
static conns :)
Thanks for the investigations and feedback! And I'm still a little
confused about some of the (improper?) cisco behaviour.
Paul
More information about the Swan
mailing list