[Swan] Unable to get multiple subnets to travers a vti, can someone help?
Dave Houser
davehouser1 at gmail.com
Wed Sep 29 18:18:38 UTC 2021
Was able to fix this with the following. rightsubnet needed to be
configured with all subnets.
conn to-vsrx-01
auto=start
keyexchange=ike
authby=secret
ike=aes256-sha2_256;dh20
esp=aes256-sha2_256
left=2.2.0.2
leftid=2.2.0.2
leftsubnet=1 <http://0.0.0.0/0>72.21.0.1
leftupdown=/opt/_updown_vti01
right=3.3.0.2
rightsubnet=0.0.0.0/0
keyingtries=0
On Tue, Sep 28, 2021 at 3:23 PM Dave Houser <davehouser1 at gmail.com> wrote:
> Hello,
>
> I need assistance configuring libreswan to allow client's vti (left) to
> route to the server's vti (right) interface, as well as other subnets on
> the far end via the single ipsec tunnel.
>
> Right now I am able to route only one subnet or ALL subnets. I need the
> client to be able to ping the VTI far end interface (172.21.0.1), as well
> as other various subnets (Lets start with 10.104.8.0/24). Note: I am only
> testing layer 3 right now with ICMP pings.
>
> With the configurations below, I can only reach 10.104.8.0/24 devices on
> the far end.
> If I try to ping 172.21.0.1, I get "Destination Host Unreachable", and
> see no traffic traversing the tunnel with "ipsec whack --trafficstatus"
>
> Here is my config file:
> (/etc/ipsec.d/myconfig.conf)
>
> conn to-vsrx-01
> auto=start
> keyexchange=ike
> authby=secret
> ike=aes256-sha2_256;dh20
> esp=aes256-sha2_256
> left=2.2.0.2
> leftid=2.2.0.2
> leftsubnet=0.0.0.0/0
> leftupdown=/opt/_updown_vti01
> right=3.3.0.2
> rightsubnet=10.10.10.0/24
> keyingtries=0
>
> Here is my updown script:
> (/opt/_updown_vti01)
>
> #!/bin/bash
>
> set -o nounset
> set -o errexit
>
> VTI_IF="vti01"
>
> case "${PLUTO_VERB}" in
> up-client)
> # Build VTI interface. Note the "key" is important to mark your traffic
> ip tunnel add $VTI_IF local 2.2.0.2 remote 3.3.0.2 mode vti key 42
> # Bring up vti
> ip link set $VTI_IF up
> # Apply IP address to VTI
> ip addr add 172.21.0.2 dev $VTI_IF
> # Add routing
> ip route add 172.21.0.0/29 dev $VTI_IF
> ip route add 10.104.8.0/24 dev $VTI_IF
> sysctl -w "net.ipv4.conf.$VTI_IF.disable_policy=1"
> sysctl -w "net.ipv4.conf.$VTI_IF.rp_filter=0"
> sysctl -w "net.ipv4.conf.$VTI_IF.forwarding=1"
> ;;
> down-client)
> ip tunnel del $VTI_IF
> ;;
> esac
>
> Before I start the tunnel, I first check my routes and interfaces to make
> sure there are no residual configurations (no vti01, or routes) still
> configured. If there are, I remove them. Then I perform the following:
>
> # ipsec auto --delete to-vsrx-01
> # ipsec auto --add to-vsrx-01
> # ipsec auto --up to-vsrx-01
>
> When checking my routes and interfaces after the tunnel comes up I see the following (Only including what was added), note there is no default gateway on the host:
>
> # ip -br a
>
> vti01 at NONE UNKNOWN 172.21.0.2/32 fe80::200:5efe:202:2/64
>
> # route -n
>
> 10.104.8.0 0.0.0.0 255.255.255.0 U 0 0 0 vti01
> 172.21.0.0 0.0.0.0 255.255.255.248 U 0 0 0 vti01
>
> I then try to ping 10.104.8.123 (A host that is routable on the far end), and 172.21.0.1 (The remote SA's interface).
>
> I can reach 10.104.8.123 and get a reply. I get "Destination Host Unreachable" when trying to ping 172.21.0.1.
>
> I believe my issue is that since the "rightsubnet" only has the 10.104.8.0/24 subnet libreswan will only allow that subnet to traverse the ipsec tunnel. I tried changing "rightsubnet" to 172.21.0.0/29, and restarting the tunnel. The results aligned with my theory as I could only ping 172.21.0.1 but not 10.104.8.123.
>
> I tried using the "rightsubnet*s" * parameter like this
>
> rightsubnets="172.21.0.0/29, 10.104.8.0/24"
>
> But it seems libreswan thinks these are separate SAs, as such will try to re-run my updown script twice to connect to seperate subnets. This build the tunnel but then errors out
>
> # ipsec auto --delete to-vsrx-01
> 002 "to-vsrx-01": terminating SAs using this connection
> 005 "to-vsrx-01" #6: ESP traffic information: in=84B out=84B
> 002 "to-vsrx-01" #5: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 83.87356s and sending notification
> [root at gst-01 ipsec.d]# ipsec auto --add to-vsrx-01
> 002 "to-vsrx-01/1x0": added IKEv2 connection
> 002 "to-vsrx-01/2x0": added IKEv2 connection
> [root at gst-01 ipsec.d]# ipsec auto --up to-vsrx-01
> 000 initiating all conns with alias='to-vsrx-01'
> 181 "to-vsrx-01/2x0" #7: initiating IKEv2 connection
> 000 "to-vsrx-01/1x0": queue Child SA; waiting on IKE SA "to-vsrx-01/2x0" #7 negotiating with 3.3.0.2
> 181 "to-vsrx-01/2x0" #7: sent IKE_SA_INIT request
> 002 "to-vsrx-01/2x0" #7: switching CHILD #8 to pending connection "to-vsrx-01/1x0"
> 182 "to-vsrx-01/2x0" #7: sent IKE_AUTH request {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20}
> 003 "to-vsrx-01/2x0" #7: established IKE SA; authenticated using authby=secret and peer ID_IPV4_ADDR '3.3.0.2'
> 002 "to-vsrx-01/1x0" #8: up-client output: net.ipv4.conf.vti01.disable_policy = 1
> 002 "to-vsrx-01/1x0" #8: up-client output: net.ipv4.conf.vti01.rp_filter = 0
> 002 "to-vsrx-01/1x0" #8: up-client output: net.ipv4.conf.vti01.forwarding = 1
> 004 "to-vsrx-01/1x0" #8: established Child SA; IPsec tunnel [172.21.0.0-172.21.0.7:0-65535 0] -> [10.104.8.0-10.104.8.255:0-65535
> 0] {ESP=>0xfa47cb52 <0xa35c401a xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive}
>
>
>
> *002 "to-vsrx-01/2x0" #9: initiating Child SA using IKE SA #7 188 "to-vsrx-01/2x0" #9: sent CREATE_CHILD_SA request for new IPsec SA 003 "to-vsrx-01/2x0" #9: CREATE_CHILD_SA failed with error notification NO_PROPOSAL_CHOSEN 200 "to-vsrx-01/2x0" #9: state transition 'process create Child SA failure response (CREATE_CHILD_SA)' failed *
>
> Is this expected?
>
> How can I get libreswan to allow multiple subnets to route via the vti without trying to set up new connections to the new subnets?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210929/ead10841/attachment.html>
More information about the Swan
mailing list