[Swan] XFRMi interfaces in 3.31

Rene Neumann rene.neumann at zpesystems.com
Fri Apr 24 11:21:06 UTC 2020 

Hi,

I have started to look into XFRMi interfaces in 3.31. I set up a ubuntu server and then compiled 3.31 on it. The results a bit confusing though, the tunnel in itself appears to come up fine but somehow the link the interface appears to be "unstable". I observed 2 issue and I'm currently wondering if I did something wrong.

1.: When the tunnel comes it is stable and I can ping across the link. After a few hours of idle thought while the tunnel still appears to come up again with DPD can I not ping across the xfrmi interface I noticed as well that when I run IPSec status that instead of just have 1 SA, the ping attempts will create multiple new SA's
2.: The ultimate goal for me is to use ECMP over 2 tunnels. So I created 2 tunnel configurations over 2 separate links. Both tunnels are coming up while "ipsec status" shows the associated interfaces when I check with "ip link" only one of the interfaces (ipsec1 at ens192) was created and with "ipsec traffic" I was able to verify that the actual traffic went through the tunnel which was associated with (ipsec1 at ens224)

Below is the output from my lab setup. I tested the same scenario with VTI interfaces on 3.27 but I only set the mark in the ipsec configuration created the ip interfaces separate as I run into similar issues. I thought the xfrmi interfaces might be a better solution though.

Any help or hint would be appreciated

Lab Config
000 Connection list:
000
000 "LINKEASTETH1-LINKWESTETH1": 10.0.0.0/8===1.0.1.10<1.0.1.10>[@LINKEASTETH1]...1.0.1.1<1.0.1.1>[@LINKWESTETH1]===10.0.0.0/8; erouted; eroute owner: #2
000 "LINKEASTETH1-LINKWESTETH1":     oriented; my_ip=10.10.10.1; their_ip=10.10.11.1; my_updown=ipsec _updown;
000 "LINKEASTETH1-LINKWESTETH1":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "LINKEASTETH1-LINKWESTETH1":   our auth:secret, their auth:secret
000 "LINKEASTETH1-LINKWESTETH1":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "LINKEASTETH1-LINKWESTETH1":   policy_label:unset;
000 "LINKEASTETH1-LINKWESTETH1":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "LINKEASTETH1-LINKWESTETH1":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "LINKEASTETH1-LINKWESTETH1":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "LINKEASTETH1-LINKWESTETH1":   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "LINKEASTETH1-LINKWESTETH1":   v2-auth-hash-policy: none;
000 "LINKEASTETH1-LINKWESTETH1":   conn_prio: 8,8; interface: ipsec1 at ens192; metric: 0; mtu: 1480; sa_prio:auto; sa_tfc:none;
000 "LINKEASTETH1-LINKWESTETH1":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "LINKEASTETH1-LINKWESTETH1":   our idtype: ID_FQDN; our id=@LINKEASTETH1; their idtype: ID_FQDN; their id=@LINKWESTETH1
000 "LINKEASTETH1-LINKWESTETH1":   dpd: action:hold; delay:1; timeout:5; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "LINKEASTETH1-LINKWESTETH1":   newest ISAKMP SA: #8; newest IPsec SA: #2;
000 "LINKEASTETH1-LINKWESTETH1":   IKE algorithms: AES_CBC_256-HMAC_SHA2_512-DH21
000 "LINKEASTETH1-LINKWESTETH1":   IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_512-DH21
000 "LINKEASTETH1-LINKWESTETH1":   ESP algorithms: AES_CBC_256-HMAC_SHA2_512_256-MODP8192
000 "LINKEASTETH1-LINKWESTETH1":   ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=MODP8192
000 "LINKEASTETH2-LINKWESTETH3": 10.0.0.0/8===1.0.0.10<1.0.0.10>[@LINKEASTETH2]...1.0.0.1<1.0.0.1>[@LINKWESTETH3]===10.0.0.0/8; erouted; eroute owner: #4
000 "LINKEASTETH2-LINKWESTETH3":     oriented; my_ip=10.10.10.1; their_ip=10.10.11.1; my_updown=ipsec _updown;
000 "LINKEASTETH2-LINKWESTETH3":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "LINKEASTETH2-LINKWESTETH3":   our auth:secret, their auth:secret
000 "LINKEASTETH2-LINKWESTETH3":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "LINKEASTETH2-LINKWESTETH3":   policy_label:unset;
000 "LINKEASTETH2-LINKWESTETH3":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "LINKEASTETH2-LINKWESTETH3":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "LINKEASTETH2-LINKWESTETH3":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "LINKEASTETH2-LINKWESTETH3":   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "LINKEASTETH2-LINKWESTETH3":   v2-auth-hash-policy: none;
000 "LINKEASTETH2-LINKWESTETH3":   conn_prio: 8,8; interface: ipsec1 at ens224; metric: 0; mtu: 1480; sa_prio:auto; sa_tfc:none;
000 "LINKEASTETH2-LINKWESTETH3":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "LINKEASTETH2-LINKWESTETH3":   our idtype: ID_FQDN; our id=@LINKEASTETH2; their idtype: ID_FQDN; their id=@LINKWESTETH3
000 "LINKEASTETH2-LINKWESTETH3":   dpd: action:hold; delay:1; timeout:5; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "LINKEASTETH2-LINKWESTETH3":   newest ISAKMP SA: #7; newest IPsec SA: #4;
000 "LINKEASTETH2-LINKWESTETH3":   IKE algorithms: AES_CBC_256-HMAC_SHA2_512-DH21
000 "LINKEASTETH2-LINKWESTETH3":   IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_512-DH21
000 "LINKEASTETH2-LINKWESTETH3":   ESP algorithms: AES_CBC_256-HMAC_SHA2_512_256-MODP8192
000 "LINKEASTETH2-LINKWESTETH3":   ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=MODP8192
000
000 Total IPsec connections: loaded 2, active 2
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0)
000 IPsec SAs: total(2), authenticated(2), anonymous(0)
000
000 #2: "LINKEASTETH1-LINKWESTETH1":500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REKEY in 22855s; newest IPSEC; eroute owner; isakmp#8; idle;
000 #2: "LINKEASTETH1-LINKWESTETH1" esp.371e95b7 at 1.0.1.1 esp.77dc9f20 at 1.0.1.10 tun.0 at 1.0.1.1 tun.0 at 1.0.1.10 ref=0 refhim=0 Traffic: ESPin=588B ESPout=588B! ESPmax=0B
000 #8: "LINKEASTETH1-LINKWESTETH1":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REKEY in 3084s; newest ISAKMP; idle;
000 #4: "LINKEASTETH2-LINKWESTETH3":500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REKEY in 22862s; newest IPSEC; eroute owner; isakmp#7; idle;
000 #4: "LINKEASTETH2-LINKWESTETH3" esp.7c3b2a88 at 1.0.0.1 esp.496fcf31 at 1.0.0.10 tun.0 at 1.0.0.1 tun.0 at 1.0.0.10 ref=0 refhim=0 Traffic: ESPin=464KB ESPout=464KB! ESPmax=0B
000 #7: "LINKEASTETH2-LINKWESTETH3":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REKEY in 3031s; newest ISAKMP; idle;
000
000 Bare Shunt list:
000
root at linkeast:/etc/ipsec.d# ipsec traffic
006 #2: "LINKEASTETH1-LINKWESTETH1", type=ESP, add_time=1587720308, inBytes=588, outBytes=588, id='@LINKWESTETH1'
006 #4: "LINKEASTETH2-LINKWESTETH3", type=ESP, add_time=1587720315, inBytes=475860, outBytes=475860, id='@LINKWESTETH3'

28: ipsec1 at ens192: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none

Stay safe and thank you
Rene

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200424/a76102df/attachment-0001.html>

More information about the Swan mailing list