[Swan] Libreswan 3.31 VTI to XFRM Conversion
Reuben Farrelly
reuben-libreswan at reub.net
Tue Mar 10 00:40:50 UTC 2020
Hi,
I'd like to convert an existing, working configuration from VTI to XFRM
support. But obviously I am missing something as it doesn't seem to be
a straightforward change.
My existing config looks like this:
conn router-2.reub.net-ipv4
left=172.105.178.21
leftid=@lightning.reub.net
leftsubnet=0.0.0.0/0
right=%any
rightid=router-2 at reub.net
rightsubnet=0.0.0.0/0
authby=secret
ikev2=insist
ikelifetime=86400s
salifetime=3600s
# IOS XE
ike=aes-sha2_512;dh19
# Classic IOS
#ike=aes-sha2_512;dh5
dpddelay=15
dpdtimeout=45
dpdaction=clear
auto=add
mark=1/0xffffffff
vti-interface=vti-1
leftvti=192.168.6.1/30
So how it works at the moment is that vti-1 on the host above has
192.168.6.1/30 on it, and the remote (Cisco IOS XE router) also has a
VTI interface Tunnel0 with 192.168.6.2/30.
That all works just fine. It is entirely route based, whatever traffic
is routed down the link is encrypted, and it works as expected.
However to convert over to use xfrm I changed the following:
- change leftvti= to be leftinterface-ip=
- change vti-interface= to ipsec-interface=
- remove mark= (is this even necessary for vti anymore?)
But this then results in a fail and the connection fails to set up:
Mar 10 11:25:50.120036: "router-2.reub.net-ipv4"[1] 1.144.144.75: local
IKE proposals (IKE SA responder matching remote proposals):
Mar 10 11:25:50.120084: "router-2.reub.net-ipv4"[1] 1.144.144.75:
1:IKE=AES_CBC_256+AES_CBC_128-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_256
Mar 10 11:25:50.120100: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
proposal 1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_256
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;DH=ECP_256;DH=MODP2048;DH=ECP_521;DH=MODP1536[first-match]
Mar 10 11:25:50.121266: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256
integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH19}
Mar 10 11:25:50.160802: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
processing decrypted IKE_AUTH request: SK{V,IDi,AUTH,SA,TSi,TSr,N,N,N,N}
Mar 10 11:25:50.160845: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
IKEv2 mode peer ID is ID_USER_FQDN: 'router-2 at reub.net'
Mar 10 11:25:50.160926: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
authenticated using authby=secret
Mar 10 11:25:50.161039: "router-2.reub.net-ipv4"[1] 1.144.144.75: local
ESP/AH proposals (IKE_AUTH responder matching remote ESP/AH proposals):
Mar 10 11:25:50.161050: "router-2.reub.net-ipv4"[1] 1.144.144.75:
1:ESP=AES_GCM_C_256-NONE-NONE-DISABLED
Mar 10 11:25:50.161056: "router-2.reub.net-ipv4"[1] 1.144.144.75:
2:ESP=AES_GCM_C_128-NONE-NONE-DISABLED
Mar 10 11:25:50.161062: "router-2.reub.net-ipv4"[1] 1.144.144.75:
3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED
Mar 10 11:25:50.161068: "router-2.reub.net-ipv4"[1] 1.144.144.75:
4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED
Mar 10 11:25:50.161092: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
proposal 1:ESP=AES_CBC_256-HMAC_SHA2_256_128-DISABLED SPI=f21ee33f
chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
Mar 10 11:25:50.161136: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
received unsupported NOTIFY v2N_SET_WINDOW_SIZE
Mar 10 11:25:50.161141: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO
Mar 10 11:25:50.202585: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
route-client output: leftsubet == rightsubnet = 0.0.0.0/0 can not add route
Mar 10 11:25:50.210179: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
route-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip -4
rule add prio 100 to 0.0.0.0/0 fwmark 1/0xffffffff lookup 50" failed
(RTNETLINK answers: Operation not supported)
Mar 10 11:25:50.210525: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2:
negotiated connection [0.0.0.0-255.255.255.255:0-65535 0] ->
[0.0.0.0-255.255.255.255:0-65535 0]
Mar 10 11:25:50.210542: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2:
STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0xf21ee33f
<0xc66c8056 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none
NATD=1.144.144.75:4500 DPD=active}
Mar 10 11:25:52.579920: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
proposal 1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_256
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;DH=ECP_256;DH=MODP2048;DH=ECP_521;DH=MODP1536[first-match]
Mar 10 11:25:52.580918: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256
integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH19}
Mar 10 11:25:53.296238: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
ERROR: asynchronous network error report on eth0 (172.105.178.21:500)
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:25:54.499877: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
received duplicate IKE_SA_INIT message request (Message ID 0);
retransmitting response
Mar 10 11:25:57.616174: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
ERROR: asynchronous network error report on eth0 (172.105.178.21:500)
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:25:58.309867: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
received duplicate IKE_SA_INIT message request (Message ID 0);
retransmitting response
Mar 10 11:26:01.456191: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
ERROR: asynchronous network error report on eth0 (172.105.178.21:500)
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:26:06.249993: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
received duplicate IKE_SA_INIT message request (Message ID 0);
retransmitting response
Mar 10 11:26:09.376191: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
ERROR: asynchronous network error report on eth0 (172.105.178.21:500)
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:26:21.795975: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
received duplicate IKE_SA_INIT message request (Message ID 0);
retransmitting response
Mar 10 11:26:24.896241: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
ERROR: asynchronous network error report on eth0 (172.105.178.21:500)
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:26:52.995134: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
received duplicate IKE_SA_INIT message request (Message ID 0);
retransmitting response
Mar 10 11:26:53.296203: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
ERROR: asynchronous network error report on eth0 (172.105.178.21:500)
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:27:35.161044: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2:
liveness_check - peer 1.144.144.75 has not responded in 59 seconds, with
a timeout of 45, taking action:clear
Mar 10 11:27:35.161090: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2:
liveness action - clearing connection kind CK_INSTANCE
Mar 10 11:27:35.161102: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
deleting state (STATE_PARENT_R1) aged 102.581s and NOT sending notification
Mar 10 11:27:35.161165: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2:
deleting state (STATE_V2_IPSEC_R) aged 105.000s and sending notification
Mar 10 11:27:35.161197: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2: ESP
traffic information: in=0B out=0B
Mar 10 11:27:35.174835: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
deleting state (STATE_PARENT_R2) aged 105.054s and sending notification
Mar 10 11:27:35.175001: "router-2.reub.net-ipv4"[1] 1.144.144.75:
deleting connection "router-2.reub.net-ipv4"[1] 1.144.144.75 instance
with peer 1.144.144.75 {isakmp=#0/ipsec=#0}
Mar 10 11:27:35.185931: "router-2.reub.net-ipv4"[1] 1.144.144.75:
unroute-client output: leftsubet == rightsubnet = 0.0.0.0/0 can not add
route
Mar 10 11:27:35.197127: "router-2.reub.net-ipv4"[1] 1.144.144.75:
unroute-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip -4
rule del prio 100 to 0.0.0.0/0 fwmark 1/0xffffffff lookup 50" failed
(RTNETLINK answers: Operation not supported)
Mar 10 11:27:55.205276: "router-2.reub.net-ipv4"[2] 1.144.144.75: local
IKE proposals (IKE SA responder matching remote proposals):
Mar 10 11:27:55.205331: "router-2.reub.net-ipv4"[2] 1.144.144.75:
1:IKE=AES_CBC_256+AES_CBC_128-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_256
============
Right now I'm running -git (Linux Libreswan v3.30-255-g45b97b3ccc-HEAD
(netkey) on 5.5.8-gentoo )
The errors I am seeing above that seem to be important:
Mar 10 11:25:50.161136: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
received unsupported NOTIFY v2N_SET_WINDOW_SIZE
Mar 10 11:25:50.161141: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
received unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO
Mar 10 11:25:50.202585: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
route-client output: leftsubet == rightsubnet = 0.0.0.0/0 can not add route
Mar 10 11:25:50.210179: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1:
route-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip -4
rule add prio 100 to 0.0.0.0/0 fwmark 1/0xffffffff lookup 50" failed
(RTNETLINK answers: Operation not supported)
Mar 10 11:25:53.296238: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3:
ERROR: asynchronous network error report on eth0 (172.105.178.21:500)
for message to 1.144.144.75 port 500, complainant 172.105.178.21: No
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 10 11:27:35.185931: "router-2.reub.net-ipv4"[1] 1.144.144.75:
unroute-client output: leftsubet == rightsubnet = 0.0.0.0/0 can not add
route
Mar 10 11:27:35.197127: "router-2.reub.net-ipv4"[1] 1.144.144.75:
unroute-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip -4
rule del prio 100 to 0.0.0.0/0 fwmark 1/0xffffffff lookup 50" failed
(RTNETLINK answers: Operation not supported)
What am I missing here?
Reuben
More information about the Swan
mailing list