<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 6, 2016 at 1:56 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class="">On Wed, 6 Jul 2016, Xinwei Hong wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
I'm trying to play around VTI support. I have the following conf in /etc/ipsec.conf<br>
</blockquote>
<br>
</span><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
# route-based VPN requires marking and an interface<br>
mark=5/0xffffffff<br>
vti-interface=vti01<br>
# do not setup routing because we don't want to send <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> over the tunnel<br>
vti-routing=no<br>
</blockquote>
<br></span>
You can also use vti-shared=no so the device is also deleted<br>
automatically when the tunnel goes down.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
Do we need anything else in the ipsec.conf file such as:<br>
<br>
config setup<br>
<br>
protostack=netkey<br>
<br>
interfaces="vti01=eth1"<br>
<br>
plutodebug=all<br>
</blockquote>
<br></span>
No. the interfaces= line is used for KLIPS only and should not be used<br>
for NETKEY/XFRM.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
Note that I want to have a route-based VPN via netkey/pluto. I have setup /etc/ipsec.secrets to have PSK on both ends.<br>
<br>
If I run "ipsec start"<br>
<br>
I got:<br>
<br>
Redirecting to: start ipsec<br>
<br>
start: Job failed to start<br>
<br>
So, I should not start ipsec that way?<br>
</blockquote>
<br></span>
That should work.</blockquote><div><br></div><div>when I do:</div><div>
<p class=""><span class=""># ipsec start</span></p>
<p class=""><span class="">Redirecting to: start ipsec</span></p>
<p class=""><span class="">ipsec start/running, process 27837</span></p><p class=""><span class=""><br></span></p><p class=""><span class="">I got:</span></p>
<p class=""><span class=""># ipsec status</span></p>
<p class=""><span class="">whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")</span></p></div><div>what's wrong here? </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
If I run:<br>
<br>
ipsec pluto --stderrlog --config /etc/ipsec.conf <br>
<br>
I got:<br>
<br>
both ends looks fine. <br>
<br>
"Ipsec status" gets the following:<br>
</blockquote>
<br>
</span><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
000 Total IPsec connections: loaded 1, active 0<br>
</blockquote>
<br></span>
It is loaded but not initiated. Try ipsec auto --up routed-vpn and see </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">if you get an error?</blockquote><div><br></div><div>I got: </div>
<p class=""><span class="">ipsec auto --up routed-vpn</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #1: initiating Main Mode</span></p>
<p class=""><span class="">002 "routed-vpn" #1: initiating Main Mode</span></p>
<p class=""><span class="">104 "routed-vpn" #1: STATE_MAIN_I1: initiate</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2</span></p>
<p class=""><span class="">002 "routed-vpn" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</span></p>
<p class=""><span class="">106 "routed-vpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</span></p>
<p class=""><span class="">002 "routed-vpn" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3</span></p>
<p class=""><span class="">108 "routed-vpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #1: Main mode peer ID is ID_IPV4_ADDR: '10.2.128.241'</span></p>
<p class=""><span class="">002 "routed-vpn" #1: Main mode peer ID is ID_IPV4_ADDR: '10.2.128.241'</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</span></p>
<p class=""><span class="">002 "routed-vpn" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP4096}</span></p>
<p class=""><span class="">004 "routed-vpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP4096}</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:fff823dd proposal=AES(12)_128-SHA1(2) pfsgroup=OAKLEY_GROUP_MODP4096}</span></p>
<p class=""><span class="">002 "routed-vpn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:fff823dd proposal=AES(12)_128-SHA1(2) pfsgroup=OAKLEY_GROUP_MODP4096}</span></p>
<p class=""><span class="">117 "routed-vpn" #2: STATE_QUICK_I1: initiate</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #2: prepare-client output: creating vti interface</span></p>
<p class=""><span class="">002 "routed-vpn" #2: prepare-client output: creating vti interface</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #2: prepare-client output: Keys are not allowed with ipip and sit tunnels</span></p>
<p class=""><span class="">002 "routed-vpn" #2: prepare-client output: Keys are not allowed with ipip and sit tunnels</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #2: prepare-client output: Cannot find device "vti01"</span></p>
<p class=""><span class="">002 "routed-vpn" #2: prepare-client output: Cannot find device "vti01"</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #2: prepare-client output: sysctl: cannot stat /proc/sys/net/ipv4/conf/vti01/disable_policy: No such file or directory</span></p>
<p class=""><span class="">002 "routed-vpn" #2: prepare-client output: sysctl: cannot stat /proc/sys/net/ipv4/conf/vti01/disable_policy: No such file or directory</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #2: prepare-client output: sysctl: cannot stat /proc/sys/net/ipv4/conf/vti01/rp_filter: No such file or directory</span></p>
<p class=""><span class="">002 "routed-vpn" #2: prepare-client output: sysctl: cannot stat /proc/sys/net/ipv4/conf/vti01/rp_filter: No such file or directory</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #2: prepare-client output: sysctl: cannot stat /proc/sys/net/ipv4/conf/vti01/forwarding: No such file or directory</span></p>
<p class=""><span class="">002 "routed-vpn" #2: prepare-client output: sysctl: cannot stat /proc/sys/net/ipv4/conf/vti01/forwarding: No such file or directory</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #2: prepare-client command exited with status 255</span></p>
<p class=""><span class="">003 "routed-vpn" #2: prepare-client command exited with status 255</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #2: route-client output: addvti called</span></p>
<p class=""><span class="">002 "routed-vpn" #2: route-client output: addvti called</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</span></p>
<p class=""><span class="">002 "routed-vpn" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</span></p>
<p class=""><span class="">Jul 6 22:06:15: "routed-vpn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x72086792 <0xd687041d xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}</span></p>
<p class=""><span class="">004 "routed-vpn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x72086792 <0xd687041d xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}</span></p>
<p class=""><br></p><p class="">after I run same command on the other end, the following message was printed on local screen.</p><p class=""><br></p><p class="">Jul 6 22:10:20: "routed-vpn" #1: the peer proposed: <a href="http://0.0.0.0/0:0/0">0.0.0.0/0:0/0</a> -> <a href="http://0.0.0.0/0:0/0">0.0.0.0/0:0/0</a><br></p>
<p class=""><span class="">Jul 6 22:10:20: "routed-vpn" #3: responding to Quick Mode proposal {msgid:1a3e14cd}</span></p>
<p class=""><span class="">Jul 6 22:10:20: "routed-vpn" #3: us: <a href="http://0.0.0.0/0===10.2.128.240">0.0.0.0/0===10.2.128.240</a><10.2.128.240></span></p>
<p class=""><span class="">Jul 6 22:10:20: "routed-vpn" #3: them: 10.2.128.241<10.2.128.241>===<a href="http://0.0.0.0/0">0.0.0.0/0</a></span></p>
<p class=""><span class="">Jul 6 22:10:20: "routed-vpn" #3: keeping refhim=4294901761 during rekey</span></p>
<p class=""><span class="">Jul 6 22:10:20: "routed-vpn" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1</span></p>
<p class=""><span class="">Jul 6 22:10:20: "routed-vpn" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x54d07c6c <0x6e518193 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}</span></p>
<p class=""><span class="">Jul 6 22:10:20: "routed-vpn" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2</span></p>
<p class=""><span class="">Jul 6 22:10:20: "routed-vpn" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x54d07c6c <0x6e518193 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}</span></p>
<p class=""><span class=""></span><br></p>
<p class=""><span class="">Jul 6 22:11:06: "routed-vpn" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:c957769a proposal=AES(12)_128-SHA1(2) pfsgroup=OAKLEY_GROUP_MODP4096}</span></p>
<p class=""><span class="">002 "routed-vpn" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:c957769a proposal=AES(12)_128-SHA1(2) pfsgroup=OAKLEY_GROUP_MODP4096}</span></p>
<p class=""><span class="">117 "routed-vpn" #4: STATE_QUICK_I1: initiate</span></p>
<p class=""><span class="">Jul 6 22:11:07: "routed-vpn" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</span></p>
<p class=""><span class="">002 "routed-vpn" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</span></p>
<p class=""><span class="">Jul 6 22:11:07: "routed-vpn" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x960cd38b <0x1b993deb xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}</span></p>
<div>004 "routed-vpn" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x960cd38b <0x1b993deb xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}</div><div><br></div><div>after this, I still cannot see vti01 with "ip link" or "ip tun". So, I could not add a route to test if connection work.</div><div> </div><div>ipsec status got:</div><div><br></div><div>
<p class=""><span class="">000 Connection list:</span></p>
<p class=""><span class="">000 </span></p>
<p class=""><span class="">000 "routed-vpn": <a href="http://0.0.0.0/0===10.2.128.240">0.0.0.0/0===10.2.128.240</a><10.2.128.240>...10.2.128.241<10.2.128.241>===<a href="http://0.0.0.0/0">0.0.0.0/0</a>; erouted; eroute owner: #4</span></p>
<p class=""><span class="">000 "routed-vpn": oriented; my_ip=unset; their_ip=unset</span></p>
<p class=""><span class="">000 "routed-vpn": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]</span></p>
<p class=""><span class="">000 "routed-vpn": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;</span></p>
<p class=""><span class="">000 "routed-vpn": labeled_ipsec:no;</span></p>
<p class=""><span class="">000 "routed-vpn": policy_label:unset;</span></p>
<p class=""><span class="">000 "routed-vpn": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2;</span></p>
<p class=""><span class="">000 "routed-vpn": retransmit-interval: 500ms; retransmit-timeout: 60s;</span></p>
<p class=""><span class="">000 "routed-vpn": sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;</span></p>
<p class=""><span class="">000 "routed-vpn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</span></p>
<p class=""><span class="">000 "routed-vpn": conn_prio: 0,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto;</span></p>
<p class=""><span class="">000 "routed-vpn": nflog-group: unset; mark: 5/0xffffffff, 5/0xffffffff; vti-iface: vti01; vti-routing: no</span></p>
<p class=""><span class="">000 "routed-vpn": newest ISAKMP SA: #1; newest IPsec SA: #4;</span></p>
<p class=""><span class="">000 "routed-vpn": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP4096(16)</span></p>
<p class=""><span class="">000 "routed-vpn": IKE algorithms found: AES_CBC(7)_128-SHA1(2)-MODP4096(16)</span></p>
<p class=""><span class="">000 "routed-vpn": IKE algorithm newest: AES_CBC_128-SHA1-MODP4096</span></p>
<p class=""><span class="">000 "routed-vpn": ESP algorithms wanted: AES(12)_128-SHA1(2)</span></p>
<p class=""><span class="">000 "routed-vpn": ESP algorithms loaded: AES(12)_128-SHA1(2)</span></p>
<p class=""><span class="">000 "routed-vpn": ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1></span></p>
<p class=""><span class="">000 </span></p>
<p class=""><span class="">000 Total IPsec connections: loaded 1, active 1</span></p>
<p class=""><span class="">000 </span></p>
<p class=""><span class="">000 State Information: DDoS cookies not required, Accepting new IKE connections</span></p>
<p class=""><span class="">000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)</span></p>
<p class=""><span class="">000 IPsec SAs: total(3), authenticated(3), anonymous(0)</span></p>
<p class=""><span class="">000 </span></p>
<p class=""><span class="">000 #4: "routed-vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 26925s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate</span></p>
<p class=""><span class="">000 #4: "routed-vpn" <a href="mailto:esp.960cd38b@10.2.128.241">esp.960cd38b@10.2.128.241</a> <a href="mailto:esp.1b993deb@10.2.128.240">esp.1b993deb@10.2.128.240</a> <a href="mailto:tun.0@10.2.128.241">tun.0@10.2.128.241</a> <a href="mailto:tun.0@10.2.128.240">tun.0@10.2.128.240</a> ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B </span></p>
<p class=""><span class="">000 #3: "routed-vpn":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27570s; isakmp#1; idle; import:admin initiate</span></p>
<p class=""><span class="">000 #3: "routed-vpn" <a href="mailto:esp.54d07c6c@10.2.128.241">esp.54d07c6c@10.2.128.241</a> <a href="mailto:esp.6e518193@10.2.128.240">esp.6e518193@10.2.128.240</a> <a href="mailto:tun.0@10.2.128.241">tun.0@10.2.128.241</a> <a href="mailto:tun.0@10.2.128.240">tun.0@10.2.128.240</a> ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B </span></p>
<p class=""><span class="">000 #2: "routed-vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 26843s; isakmp#1; idle; import:admin initiate</span></p>
<p class=""><span class="">000 #2: "routed-vpn" <a href="mailto:esp.72086792@10.2.128.241">esp.72086792@10.2.128.241</a> <a href="mailto:esp.d687041d@10.2.128.240">esp.d687041d@10.2.128.240</a> <a href="mailto:tun.0@10.2.128.241">tun.0@10.2.128.241</a> <a href="mailto:tun.0@10.2.128.240">tun.0@10.2.128.240</a> ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B </span></p>
<p class=""><span class="">000 #1: "routed-vpn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1402s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</span></p><p class=""><span class=""><br></span></p></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
what is the ip_vti0 here?<br>
</blockquote>
<br></span>
It's a kernel module thingy which you can ignore.<span class=""><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div></div>