[Swan] Cisco IOS XE Interoperability with Libreswan

Reuben Farrelly reuben-libreswan at reub.net
Sun Aug 19 14:17:04 UTC 2018


On 19/08/2018 5:32 pm, Reuben Farrelly wrote:
>> But also, unique marks was really meant for roadwarriors, not single
>> static conns :)
>>
>> Thanks for the investigations and feedback! And I'm still a little
>> confused about some of the (improper?) cisco behaviour.
>>
>> Paul
> 
> Ok - that all makes sense now.  I haven't been restarting the system 
> each time I make a change or rebuild/upgrade so it's entirely likely 
> that that is what is going on.
> Maybe you could add a note to the Route Based VPN configuration page 
> that indicates that dynamic VTIs are more for roadwarriors, as I wasn't 
> aware of what value to choose when I set mine up according to the howto :-)

Ugh.  Should have read "dynamic mark IDs" not "dynamic VTIs" ...

> I suspect this because if I turn off all NAT then the IPSec negotiation 
> completes successfully, every time.  Turn it back on and the negotiation 
> gets stuck and we see the retransmit behaviour happening all over again.
> 
> As matching the outbound interface as a NAT selector is not an option 
> any more, I'm currently trying to come up with some NAT match ACLs to 
> work around this behaviour, some quick and dirty ACLs with very tight 
> src/dst entries has done the trick for now - but it's ugly.

Further investigation showed that the ESP traffic originating from the 
router was being added to the NAT table on the router itself.  This is 
really weird.

By simply adding a deny ACL entry to explicitly deny the destination 
libreswan server IP address from being NATted to itself, the problem was 
resolved and everything has been working since.  My original classic IOS 
router config is otherwise unchanged on IOS XE.

Reuben



More information about the Swan mailing list