<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EstiloDeEmail17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="PT-BR" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Dear,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> I didnt know much on which list to ask that, but i believe that's a more dev situation then users. Its also a double post from swan-dev list. I do not know if someone else has the same issue we have here, but here it
goes:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> I would like to request a new feature. Let me explain our scenario and what we trying to do libreswan:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> We have on our Datacenter, a Palo Alto device that does handle as our VPN Server (IPsec) to multiple sites, and we use dynamic routing protocols (BGP and OSPF) -- currently BGP on the VPN side. We can make it properly
work w/ other Palo Alto and Cisco devices.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> The following links describes what we need to configure on devices:
<a href="https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/525/1/How_to_Configure-Dynamic_Routing_over_IPSec_against_Cisco-vc.pdf">
https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/525/1/How_to_Configure-Dynamic_Routing_over_IPSec_against_Cisco-vc.pdf</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> We have many sites that we are using Linux, and we choose Libreswan to be our VPN IPsec software. We first started using policy based VPN but we quickly found a problem: Dynamic Routing Protocols did not work as expected.
The real trick is that routing protocols demand IP on tunnel interfaces to work properly and exchange adversites and routing protocol information. I was glad i found VTI support on the beta release, that really solves the issue, as i have a tunnel interface
to route thru.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> I quickly found the problem. We need to have configured IP on the tunnel interface, and libreswan did not the manage that to do it properly. We could get the tunnel UP with properly local/remote ip address, but the
interface did not have IP address (which is required to by routing protocols).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> What we need to do is configure one ip address, like 192.168.168.1/30 on site A (palo alto) and 192.168.168.2/30 on site B, and the local and remote tunnel which are the real ip address that we use to connect (that
works good). To solve the issue i had to manually set the ip address by myself: # ip addr add 192.168.168.2/30 dev <vti-interface><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Here are my configs:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # conn.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> conn tjpa-vpn<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> authby=secret<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> auto=start<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> left=10.87.133.6<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> leftid=10.87.133.6<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> right=10.87.1.1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> rightid=10.87.1.1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> leftsubnet=0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> rightsubnet=0.0.0.0/0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> phase2=esp<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> phase2alg=aes256-sha1;modp1536<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> mark = 87/0xffffff<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> vti-interface=vti-pdp<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> vti-routing=no<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># ip tunnel show<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">vti-pdp: ip/ip remote 10.87.1.1 local 10.87.133.6 ttl inherit key 87
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># ifconfig vti-pdp<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">vti-pdp: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1480<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> inet 192.168.168.2 netmask 255.255.255.252 destination 192.168.168.2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> tunnel txqueuelen 0 (IPIP Tunnel)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> RX packets 13 bytes 970 (970.0 B)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> RX errors 0 dropped 0 overruns 0 frame 0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> TX packets 10 bytes 1528 (1.4 KiB)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># ip route show<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">default via 192.168.168.1 dev vti-pdp proto zebra<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">10.21.0.0/16 via 10.21.133.1 dev eth0 proto static metric 100<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">10.21.133.0/24 dev eth0 proto kernel scope link src 10.21.133.3 metric 100<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">10.87.0.0/16 via 10.87.133.10 dev eth2 proto static metric 100<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">10.87.133.0/24 dev eth2 proto kernel scope link src 10.87.133.6 metric 100<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">10.139.0.0/16 dev eth1 proto kernel scope link src 10.139.0.20 metric 100<o:p></o:p></span></p>
<p class="MsoNormal">172.18.0.0/21 via 192.168.168.1 dev vti-pdp proto zebra<o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">192.168.168.0/30 dev vti-pdp proto kernel scope link src 192.168.168.2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">So its fully working as i would like. I had to do a nasty workaround with systemd to get it working:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I had to add to ipsec.service -><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">ExecStartPost=/opt/set-tunnel-ip.sh<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"># cat /opt/set-tunnel-ip.sh<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">#!/bin/bash<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">sleep 5<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">ip addr add 192.168.168.2/30 dev vti-pdp<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Observation: If we do not "wait" to set up ip address, it fails because the interface is not created yet.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I think i already explained my scenario (hope thats enough details, even though long). As looking into the code and scripts i found _updown.netkey script and looked into addvtiiface() function on the following codes:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">if [ ! -d "/proc/sys/net/ipv4/conf/${VTI_IFACE}" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> # echo "creating vti interface"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> vtipeer="${PLUTO_PEER}"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> if [ "${PLUTO_CONN_KIND}" = CK_INSTANCE -o "${VTI_SHARED}" = "yes" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> vtipeer="0.0.0.0"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> fi<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> ip tunnel add ${VTI_IFACE} mode vti local ${PLUTO_ME} \<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> remote ${vtipeer} okey ${CONNMARK_OUT%/*} \<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> ikey ${CONNMARK_IN%/*}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> sysctl -w net.ipv4.conf.${VTI_IFACE}.disable_policy=1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> sysctl -w net.ipv4.conf.${VTI_IFACE}.rp_filter=0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> sysctl -w net.ipv4.conf.${VTI_IFACE}.forwarding=1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> ip link set ${VTI_IFACE} up<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Modify here would fix everything. We just need to set the following command after the interface is up (or add another function).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> if [ -n "${VTI_IP}" ]; then<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> ip addr add ${VTI_IP} dev ${VTI_IFACE}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> fi<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Also, we need to modify to read {VTI_IP} from the configuration file. I would suggest another keyword:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> vti-ip=192.168.168.2/30<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> I believe the modifications should be fairly easy to implement. It should not be compatible with vti-shared as each tunnel must have its own unique ip. And by adding this feature it would make libreswan compatible
with most VPN software (commercial) w/ Route based and Dynamic Routing Protocols.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> I would like to hear back from you guys if that's possible to do, and i believe it should not be much hard to implement.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal">Best regards,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:PT-BR">Att,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:PT-BR">Bruno Benchimol<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:PT-BR"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:PT-BR">Tribunal de Justiça do Estado Pará<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:PT-BR">Chefe do Serviço de Segurança e Sistemas Básicos<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:PT-BR">(91) 3250-8383</span><span style="mso-fareast-language:PT-BR"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</body>
</html>