[Swan] Libreswan 3.31 VTI to XFRM Conversion

Reuben Farrelly reuben-libreswan at reub.net
Tue Mar 10 00:40:50 UTC 2020 

Hi,

I'd like to convert an existing, working configuration from VTI to XFRM 
support.  But obviously I am missing something as it doesn't seem to be 
a straightforward change.

My existing config looks like this:

conn router-2.reub.net-ipv4
         left=172.105.178.21
         leftid=@lightning.reub.net
         leftsubnet=0.0.0.0/0
         right=%any
         rightid=router-2 at reub.net
         rightsubnet=0.0.0.0/0
         authby=secret
         ikev2=insist
         ikelifetime=86400s
         salifetime=3600s
         # IOS XE
         ike=aes-sha2_512;dh19
         # Classic IOS
         #ike=aes-sha2_512;dh5
         dpddelay=15
         dpdtimeout=45
         dpdaction=clear
         auto=add
         mark=1/0xffffffff
         vti-interface=vti-1
         leftvti=192.168.6.1/30

So how it works at the moment is that vti-1 on the host above has 
192.168.6.1/30 on it, and the remote (Cisco IOS XE router) also has a 
VTI interface Tunnel0 with 192.168.6.2/30.

That all works just fine.  It is entirely route based, whatever traffic 
is routed down the link is encrypted, and it works as expected.

However to convert over to use xfrm I changed the following:

- change leftvti= to be leftinterface-ip=
- change vti-interface= to ipsec-interface=
- remove mark=  (is this even necessary for vti anymore?)


But this then results in a fail and the connection fails to set up:

Mar 10 11:25:50.120036: "router-2.reub.net-ipv4"[1] 1.144.144.75: local 
IKE proposals (IKE SA responder matching remote proposals):
Mar 10 11:25:50.120084: "router-2.reub.net-ipv4"[1] 1.144.144.75: 
1:IKE=AES_CBC_256+AES_CBC_128-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_256
Mar 10 11:25:50.120100: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
proposal 1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_256 
chosen from remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;DH=ECP_256;DH=MODP2048;DH=ECP_521;DH=MODP1536[first-match]
Mar 10 11:25:50.121266: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 
integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH19}
Mar 10 11:25:50.160802: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
processing decrypted IKE_AUTH request: SK{V,IDi,AUTH,SA,TSi,TSr,N,N,N,N}
Mar 10 11:25:50.160845: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
IKEv2 mode peer ID is ID_USER_FQDN: 'router-2 at reub.net'
Mar 10 11:25:50.160926: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
authenticated using authby=secret
Mar 10 11:25:50.161039: "router-2.reub.net-ipv4"[1] 1.144.144.75: local 
ESP/AH proposals (IKE_AUTH responder matching remote ESP/AH proposals):
Mar 10 11:25:50.161050: "router-2.reub.net-ipv4"[1] 1.144.144.75: 
1:ESP=AES_GCM_C_256-NONE-NONE-DISABLED
Mar 10 11:25:50.161056: "router-2.reub.net-ipv4"[1] 1.144.144.75: 
2:ESP=AES_GCM_C_128-NONE-NONE-DISABLED
Mar 10 11:25:50.161062: "router-2.reub.net-ipv4"[1] 1.144.144.75: 
3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED
Mar 10 11:25:50.161068: "router-2.reub.net-ipv4"[1] 1.144.144.75: 
4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED
Mar 10 11:25:50.161092: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
proposal 1:ESP=AES_CBC_256-HMAC_SHA2_256_128-DISABLED SPI=f21ee33f 
chosen from remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
Mar 10 11:25:50.161136: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
received unsupported NOTIFY v2N_SET_WINDOW_SIZE
Mar 10 11:25:50.161141: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO
Mar 10 11:25:50.202585: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
route-client output: leftsubet == rightsubnet = 0.0.0.0/0 can not add route
Mar 10 11:25:50.210179: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
route-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip -4 
rule add prio 100 to 0.0.0.0/0 fwmark 1/0xffffffff lookup 50" failed 
(RTNETLINK answers: Operation not supported)
Mar 10 11:25:50.210525: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2: 
negotiated connection [0.0.0.0-255.255.255.255:0-65535 0] -> 
[0.0.0.0-255.255.255.255:0-65535 0]
Mar 10 11:25:50.210542: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2: 
STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0xf21ee33f 
<0xc66c8056 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none 
NATD=1.144.144.75:4500 DPD=active}
Mar 10 11:25:52.579920: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
proposal 1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_256 
chosen from remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;DH=ECP_256;DH=MODP2048;DH=ECP_521;DH=MODP1536[first-match]
Mar 10 11:25:52.580918: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 
integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH19}
Mar 10 11:25:53.296238: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
ERROR: asynchronous network error report on eth0 (172.105.178.21:500) 
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No 
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:25:54.499877: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
received duplicate IKE_SA_INIT message request (Message ID 0); 
retransmitting response
Mar 10 11:25:57.616174: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
ERROR: asynchronous network error report on eth0 (172.105.178.21:500) 
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No 
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:25:58.309867: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
received duplicate IKE_SA_INIT message request (Message ID 0); 
retransmitting response
Mar 10 11:26:01.456191: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
ERROR: asynchronous network error report on eth0 (172.105.178.21:500) 
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No 
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:26:06.249993: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
received duplicate IKE_SA_INIT message request (Message ID 0); 
retransmitting response
Mar 10 11:26:09.376191: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
ERROR: asynchronous network error report on eth0 (172.105.178.21:500) 
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No 
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:26:21.795975: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
received duplicate IKE_SA_INIT message request (Message ID 0); 
retransmitting response
Mar 10 11:26:24.896241: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
ERROR: asynchronous network error report on eth0 (172.105.178.21:500) 
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No 
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:26:52.995134: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
received duplicate IKE_SA_INIT message request (Message ID 0); 
retransmitting response
Mar 10 11:26:53.296203: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
ERROR: asynchronous network error report on eth0 (172.105.178.21:500) 
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No 
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:27:35.161044: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2: 
liveness_check - peer 1.144.144.75 has not responded in 59 seconds, with 
a timeout of 45, taking action:clear
Mar 10 11:27:35.161090: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2: 
liveness action - clearing connection kind CK_INSTANCE
Mar 10 11:27:35.161102: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
deleting state (STATE_PARENT_R1) aged 102.581s and NOT sending notification
Mar 10 11:27:35.161165: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2: 
deleting state (STATE_V2_IPSEC_R) aged 105.000s and sending notification
Mar 10 11:27:35.161197: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2: ESP 
traffic information: in=0B out=0B
Mar 10 11:27:35.174835: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
deleting state (STATE_PARENT_R2) aged 105.054s and sending notification
Mar 10 11:27:35.175001: "router-2.reub.net-ipv4"[1] 1.144.144.75: 
deleting connection "router-2.reub.net-ipv4"[1] 1.144.144.75 instance 
with peer 1.144.144.75 {isakmp=#0/ipsec=#0}
Mar 10 11:27:35.185931: "router-2.reub.net-ipv4"[1] 1.144.144.75: 
unroute-client output: leftsubet == rightsubnet = 0.0.0.0/0 can not add 
route
Mar 10 11:27:35.197127: "router-2.reub.net-ipv4"[1] 1.144.144.75: 
unroute-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip -4 
rule del prio 100 to 0.0.0.0/0 fwmark 1/0xffffffff lookup 50" failed 
(RTNETLINK answers: Operation not supported)
Mar 10 11:27:55.205276: "router-2.reub.net-ipv4"[2] 1.144.144.75: local 
IKE proposals (IKE SA responder matching remote proposals):
Mar 10 11:27:55.205331: "router-2.reub.net-ipv4"[2] 1.144.144.75: 
1:IKE=AES_CBC_256+AES_CBC_128-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_256

============

Right now I'm running -git (Linux Libreswan v3.30-255-g45b97b3ccc-HEAD 
(netkey) on 5.5.8-gentoo )


The errors I am seeing above that seem to be important:

Mar 10 11:25:50.161136: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
received unsupported NOTIFY v2N_SET_WINDOW_SIZE

Mar 10 11:25:50.161141: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO

Mar 10 11:25:50.202585: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
route-client output: leftsubet == rightsubnet = 0.0.0.0/0 can not add route

Mar 10 11:25:50.210179: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
route-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip -4 
rule add prio 100 to 0.0.0.0/0 fwmark 1/0xffffffff lookup 50" failed 
(RTNETLINK answers: Operation not supported)

Mar 10 11:25:53.296238: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: 
ERROR: asynchronous network error report on eth0 (172.105.178.21:500) 
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No 
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

Mar 10 11:27:35.185931: "router-2.reub.net-ipv4"[1] 1.144.144.75: 
unroute-client output: leftsubet == rightsubnet = 0.0.0.0/0 can not add 
route
Mar 10 11:27:35.197127: "router-2.reub.net-ipv4"[1] 1.144.144.75: 
unroute-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip -4 
rule del prio 100 to 0.0.0.0/0 fwmark 1/0xffffffff lookup 50" failed 
(RTNETLINK answers: Operation not supported)


What am I missing here?

Reuben

More information about the Swan mailing list