[Swan] Libreswan 3.31 VTI to XFRM Conversion
Reuben Farrelly
reuben-libreswan at reub.net
Thu Mar 12 04:14:16 UTC 2020
Hi again,
On 12/03/2020 12:23 am, Paul Wouters wrote:
> On Wed, 11 Mar 2020, Reuben Farrelly wrote:
>
>> As it turns out, this error was caused by missing bits of kernel
>> support for the use of 'ip rule'.
>
>> So things are looking better now:
>
>> I had to manually set an IP address on the ipsec1 interface, but it
>> still doesn't work.
>
> Yes, in the next release, leftinterface-ip= should work for that.
Should this work in current -git ? Because I just updated this
morning, and it's still not working (no message about the command being
deprecated, but it just doesn't work):
lightning ~ # ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP mode DEFAULT group default qlen 1000
link/ether f2:3c:92:08:48:96 brd ff:ff:ff:ff:ff:ff
5: ipsec1 at eth0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
mode DEFAULT group default qlen 1000
link/none
lightning ~ #
Also -git master still shows 3.30 as the version despite 3.31 being
released:
Linux Libreswan v3.30-288-g7518e3d84b-HEAD (netkey) on 5.5.8-gentoo
>
>> lightning ~ # ip -d link show dev ipsec1
>> 5: ipsec1 at eth0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
>> UNKNOWN mode DEFAULT group default qlen 1000
>> link/none promiscuity 0 minmtu 68 maxmtu 65535
>> xfrm if_id 0x1 addrgenmode random numtxqueues 1 numrxqueues 1
>> gso_max_size 65536 gso_max_segs 65535
>> lightning ~ # ip -s link show dev ipsec1
>> 5: ipsec1 at eth0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
>> UNKNOWN mode DEFAULT group default qlen 1000
>> link/none
>> RX: bytes packets errors dropped overrun mcast
>> 1130640 13460 0 0 0 0
>> TX: bytes packets errors dropped carrier collsns
>> 170268 2027 0 12 0 0
>> lightning ~ #
>
> So it does see packets both ways. What does ipsec trafficstatus say? Did
> it receive encrypted packets and send encrypted packets too?
After adding the IP address, counts look like this:
lightning ~ # ipsec trafficstatus
006 #2: "router-2.reub.net-ipv4"[1] 1.144.144.75, type=ESP,
add_time=1583982889, inBytes=129780, outBytes=504, id='router-2 at reub.net'
lightning ~ # ping 192.168.6.2
PING 192.168.6.2 (192.168.6.2) 56(84) bytes of data.
^C
--- 192.168.6.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1074ms
lightning ~ # ipsec trafficstatus
006 #2: "router-2.reub.net-ipv4"[1] 1.144.144.75, type=ESP,
add_time=1583982889, inBytes=129780, outBytes=672, id='router-2 at reub.net'
lightning ~ #
Sending traffic increments the counts as above but there is no response
to the ping (from either end).
> lightning ~ # ip route
>> default via 172.105.178.1 dev eth0 metric 2
>> 172.105.178.0/24 dev eth0 proto kernel scope link src 172.105.178.21
>> 192.168.6.0/30 dev ipsec1 proto kernel scope link src 192.168.6.1
>
> Hmm that looks okay.
>
>> Looks a lot like IPSec is happy but the routing/interface side of
>> things is not.
>
> Do you see an increase in numbers in /proc/net/xfrm_stat ?
No.
lightning ~ # cat /proc/net/xfrm_stat
XfrmInError 0
XfrmInBufferError 0
XfrmInHdrError 0
XfrmInNoStates 0
XfrmInStateProtoError 0
XfrmInStateModeError 0
XfrmInStateSeqError 0
XfrmInStateExpired 0
XfrmInStateMismatch 0
XfrmInStateInvalid 0
XfrmInTmplMismatch 0
XfrmInNoPols 0
XfrmInPolBlock 0
XfrmInPolError 0
XfrmOutError 0
XfrmOutBundleGenError 0
XfrmOutBundleCheckError 0
XfrmOutNoStates 0
XfrmOutStateProtoError 0
XfrmOutStateModeError 0
XfrmOutStateSeqError 0
XfrmOutStateExpired 0
XfrmOutPolBlock 0
XfrmOutPolDead 0
XfrmOutPolError 0
XfrmFwdHdrError 0
XfrmOutStateInvalid 0
XfrmAcquireError 0
lightning ~ #
Curiously the ip_vti module is also always loaded, but I unloaded it
before assigning the IP to the link above. Is there any reason why we
would want ip_vti enabled in an xfrm environment? It creates another
ipsec type interface (presumably needlessly).
>
> is rp_filter disabled? and ip_forwarding enabled?
rp_filter disabled = yes, but ip_forwarding disabled (can be changed).
Does this matter if we're only pinging across the /30 link and not
routing through the box?
Reuben
More information about the Swan
mailing list