[Swan] Unable to get multiple subnets to travers a vti, can someone help?

Dave Houser davehouser1 at gmail.com
Tue Sep 28 19:23:19 UTC 2021 

Hello,

I need assistance configuring libreswan to allow client's vti (left) to
route to the server's vti (right) interface, as well as other subnets on
the far end via the single ipsec tunnel.

Right now I am able to route only one subnet or ALL subnets. I need the
client to be able to ping the VTI far end interface (172.21.0.1), as well
as other various subnets (Lets start with 10.104.8.0/24). Note: I am only
testing layer 3 right now with ICMP pings.

With the configurations below, I can only reach 10.104.8.0/24 devices on
the far end.
If I try to ping 172.21.0.1, I get  "Destination Host Unreachable", and see
no traffic traversing the tunnel with "ipsec whack --trafficstatus"

Here is my config file:
(/etc/ipsec.d/myconfig.conf)

conn to-vsrx-01
    auto=start
    keyexchange=ike
    authby=secret
    ike=aes256-sha2_256;dh20
    esp=aes256-sha2_256
    left=2.2.0.2
    leftid=2.2.0.2
    leftsubnet=0.0.0.0/0
    leftupdown=/opt/_updown_vti01
    right=3.3.0.2
    rightsubnet=10.10.10.0/24
    keyingtries=0

Here is my updown script:
(/opt/_updown_vti01)

#!/bin/bash

set -o nounset
set -o errexit

VTI_IF="vti01"

case "${PLUTO_VERB}" in
    up-client)
        # Build VTI interface. Note the "key" is important to mark your traffic
        ip tunnel add $VTI_IF local 2.2.0.2 remote 3.3.0.2 mode vti key 42
        # Bring up vti
        ip link set $VTI_IF up
        # Apply IP address to VTI
        ip addr add  172.21.0.2 dev $VTI_IF
        # Add routing
        ip route add 172.21.0.0/29 dev $VTI_IF
        ip route add 10.104.8.0/24 dev $VTI_IF
        sysctl -w "net.ipv4.conf.$VTI_IF.disable_policy=1"
        sysctl -w "net.ipv4.conf.$VTI_IF.rp_filter=0"
        sysctl -w "net.ipv4.conf.$VTI_IF.forwarding=1"
        ;;
    down-client)
        ip tunnel del $VTI_IF
        ;;
esac

Before I start the tunnel, I first check my routes and interfaces to make
sure there are no residual configurations (no vti01, or routes) still
configured. If there are, I remove them. Then I perform the following:

# ipsec auto --delete to-vsrx-01
# ipsec auto --add to-vsrx-01
# ipsec auto --up to-vsrx-01

When checking my routes and interfaces after the tunnel comes up I see
the following  (Only including what was added), note there is no
default gateway on the host:

# ip -br a

vti01 at NONE       UNKNOWN        172.21.0.2/32 fe80::200:5efe:202:2/64

# route -n

10.104.8.0      0.0.0.0         255.255.255.0   U     0      0        0 vti01
172.21.0.0      0.0.0.0         255.255.255.248 U     0      0        0 vti01

I then try to ping 10.104.8.123 (A host that is routable on the far
end), and 172.21.0.1 (The remote SA's interface).

I can reach 10.104.8.123 and get a reply. I get "Destination Host
Unreachable" when trying to ping 172.21.0.1.

I believe my issue is that since the "rightsubnet" only has the
10.104.8.0/24 subnet libreswan will only allow that subnet to traverse
the ipsec tunnel. I tried changing "rightsubnet" to 172.21.0.0/29, and
restarting the tunnel. The results aligned with my theory as I could
only ping 172.21.0.1 but not 10.104.8.123.

I tried using the "rightsubnet*s" * parameter like this

rightsubnets="172.21.0.0/29, 10.104.8.0/24"

But it seems libreswan thinks these are separate SAs, as such will try
to re-run my updown script twice to connect to seperate subnets. This
build the tunnel but then errors out

# ipsec auto --delete to-vsrx-01
002 "to-vsrx-01": terminating SAs using this connection
005 "to-vsrx-01" #6: ESP traffic information: in=84B out=84B
002 "to-vsrx-01" #5: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged
83.87356s and sending notification
[root at gst-01 ipsec.d]# ipsec auto --add to-vsrx-01
002 "to-vsrx-01/1x0": added IKEv2 connection
002 "to-vsrx-01/2x0": added IKEv2 connection
[root at gst-01 ipsec.d]# ipsec auto --up to-vsrx-01
000 initiating all conns with alias='to-vsrx-01'
181 "to-vsrx-01/2x0" #7: initiating IKEv2 connection
000 "to-vsrx-01/1x0": queue Child SA; waiting on IKE SA
"to-vsrx-01/2x0" #7 negotiating with 3.3.0.2
181 "to-vsrx-01/2x0" #7: sent IKE_SA_INIT request
002 "to-vsrx-01/2x0" #7: switching CHILD #8 to pending connection
"to-vsrx-01/1x0"
182 "to-vsrx-01/2x0" #7: sent IKE_AUTH request {cipher=AES_CBC_256
integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20}
003 "to-vsrx-01/2x0" #7: established IKE SA; authenticated using
authby=secret and peer ID_IPV4_ADDR '3.3.0.2'
002 "to-vsrx-01/1x0" #8: up-client output:
net.ipv4.conf.vti01.disable_policy = 1
002 "to-vsrx-01/1x0" #8: up-client output:
net.ipv4.conf.vti01.rp_filter = 0
002 "to-vsrx-01/1x0" #8: up-client output:
net.ipv4.conf.vti01.forwarding = 1
004 "to-vsrx-01/1x0" #8: established Child SA; IPsec tunnel
[172.21.0.0-172.21.0.7:0-65535 0] -> [10.104.8.0-10.104.8.255:0-65535
0] {ESP=>0xfa47cb52 <0xa35c401a xfrm=AES_CBC_256-HMAC_SHA2_256_128
NATOA=none NATD=none DPD=passive}



*002 "to-vsrx-01/2x0" #9: initiating Child SA using IKE SA #7
                                                            188
"to-vsrx-01/2x0" #9: sent CREATE_CHILD_SA request for new IPsec SA
                                                       003
"to-vsrx-01/2x0" #9: CREATE_CHILD_SA failed with error notification
NO_PROPOSAL_CHOSEN                                        200
"to-vsrx-01/2x0" #9: state transition 'process create Child SA failure
response (CREATE_CHILD_SA)' failed  *

Is this expected?

How can I get libreswan to allow multiple subnets to route via the vti
without trying to set up new connections to the new subnets?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210928/409f45b0/attachment.html>

More information about the Swan mailing list