[Swan] Libreswan 3.31 VTI to XFRM Conversion

Paul Wouters paul at nohats.ca
Wed Mar 11 00:33:21 UTC 2020 

On Tue, 10 Mar 2020, Reuben Farrelly wrote:

> I'd like to convert an existing, working configuration from VTI to XFRM 
> support.  But obviously I am missing something as it doesn't seem to be a 
> straightforward change.
>
> My existing config looks like this:
>
> conn router-2.reub.net-ipv4

>         leftsubnet=0.0.0.0/0

>         rightsubnet=0.0.0.0/0

>         mark=1/0xffffffff
>         vti-interface=vti-1
>         leftvti=192.168.6.1/30
>
> That all works just fine.  It is entirely route based, whatever traffic is 
> routed down the link is encrypted, and it works as expected.
>
> However to convert over to use xfrm I changed the following:
>
> - change leftvti= to be leftinterface-ip=
> - change vti-interface= to ipsec-interface=

Yes, but it has to be either "yes" (meaning 1) or a number.

> - remove mark=  (is this even necessary for vti anymore?)

It was needed for VTI but not for XFRMi. We should probably not allow it
with ipsec-interface= set.

> asynchronous network error report on eth0 (172.105.178.21:500) for message to 
> 1.144.144.75 port 500, complainant 172.105.178.21: No route to host [errno 
> 113, origin ICMP type 3 code 1 (not authenticated)]
> Mar 10 11:27:35.161044: "router-2.reub.net-ipv4"[1] 1.144.144.75 #2: 
> liveness_check - peer 1.144.144.75 has not responded in 59 seconds, with a 
> timeout of 45, taking action:clear

This looks like an imploded route that caused IKE traffic to fail?

> Mar 10 11:27:35.185931: "router-2.reub.net-ipv4"[1] 1.144.144.75: 
> unroute-client output: leftsubet == rightsubnet = 0.0.0.0/0 can not add route

this is fine. you need to do the routing into the ipsec interface for
0/0 to 0/0 tunnels.

> Mar 10 11:25:50.161136: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: received 
> unsupported NOTIFY v2N_SET_WINDOW_SIZE

You can ignore that.

> Mar 10 11:25:50.161141: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: received 
> unsupported NOTIFY v2N_NON_FIRST_FRAGMENTS_ALSO

And that.

> Mar 10 11:25:50.202585: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
> route-client output: leftsubet == rightsubnet = 0.0.0.0/0 can not add route

This is okay, you need to route manually because only you know what
traffic should go into the ipsecX interface.

> Mar 10 11:25:50.210179: "router-2.reub.net-ipv4"[1] 1.144.144.75 #1: 
> route-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip -4 rule 
> add prio 100 to 0.0.0.0/0 fwmark 1/0xffffffff lookup 50" failed (RTNETLINK 
> answers: Operation not supported)

This seems to indicate you mistakenly used the mark= option with XFRMi.

> Mar 10 11:25:53.296238: "router-2.reub.net-ipv4"[1] 1.144.144.75 #3: ERROR: 
> asynchronous network error report on eth0 (172.105.178.21:500) for message to 
> 1.144.144.75 port 500, complainant 172.105.178.21: No route to host [errno 
> 113, origin ICMP type 3 code 1 (not authenticated)]

Looks like route implostion that caused IKE traffic to fail? Due to some
weird or bogus route?

Paul

More information about the Swan mailing list