<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font face="DejaVu Serif">Hi,</font></p>
<p><font face="DejaVu Serif">Thanks Paul, this work defined but i think
i found a issue, the left/right protocol are not respected...
and so the tunnels are partial up and i cannot send vxlan
traffic through the vpn.</font></p>
<p><font face="DejaVu Serif"><br>
</font></p>
<p><font face="DejaVu Serif">My current conf is (boxA and boxB -
reverted left/right params):</font></p>
<p><font face="DejaVu Serif">conn ipsec9convxlanout<br>
also=ipsec9convxlan<br>
leftprotoport=17/0<br>
rightprotoport=17/4789<br>
auto=start<br>
<br>
conn ipsec9convxlanin<br>
also=ipsec9convxlan<br>
leftprotoport=17/4789<br>
rightprotoport=17/0<br>
auto=start<br>
<br>
conn ipsec9convxlan<br>
type=transport<br>
leftrsasigkey=%cert<br>
leftcert=LabVxLANandDemoVxLAN<br>
rightrsasigkey=%cert<br>
leftid=@LabVxLAN<br>
left=192.168.1.108<br>
right=20.20.10.4<br>
rightid=@DemoVxLAN<br>
dpddelay=30<br>
dpdtimeout=60<br>
dpdaction=restart<br>
</font></p>
<p><font face="DejaVu Serif"><br>
</font></p>
<p><font face="DejaVu Serif">My left side is behind NAT and i cannot
force port 500 or 4500 to libreswan box, so i end up with
partial tunnels up. <br>
</font></p>
<p><font face="DejaVu Serif">left both conns are up:<br>
</font></p>
<p><font face="DejaVu Serif">ipsec whack --trafficstatus<br>
006 #3: "ipsec1convxlanin", type=ESP, add_time=1526136419,
inBytes=0, outBytes=0, id='@LabVxLAN'<br>
006 #2: "ipsec1convxlanout", type=ESP, add_time=1526136418,
inBytes=0, outBytes=0, id='@LabVxLAN'<br>
</font></p>
<p><font face="DejaVu Serif"><br>
</font></p>
<p><font face="DejaVu Serif">right side is wrong:<br>
ipsec whack --trafficstatus<br>
006 #6: "ipsec9convxlanin", type=ESP, add_time=1526136418,
inBytes=0, outBytes=0, id='@DemoVxLAN'<br>
006 #7: "ipsec9convxlanin", type=ESP, add_time=0, inBytes=0,
outBytes=0, id='@DemoVxLAN'<br>
</font></p>
<p><i><font face="DejaVu Serif">Expected:<font face="DejaVu Serif">
ipsec whack --trafficstatus<br>
006 #6: "ipsec9convxlanin", type=ESP, add_time=1526136418,
inBytes=0, outBytes=0, id='@DemoVxLAN'<br>
006 #7: "ipsec9convxlanout", type=ESP, add_time=</font></font></i><i><font
face="DejaVu Serif"><font face="DejaVu Serif"><font
face="DejaVu Serif"><font face="DejaVu Serif">1526136418</font></font>,
inBytes=0, outBytes=0, id='@DemoVxLAN'</font></font></i></p>
<p><font face="DejaVu Serif"><font face="DejaVu Serif"><br>
</font></font></p>
<p><font face="DejaVu Serif">When connecting the </font><font
face="DejaVu Serif"><font face="DejaVu Serif">ipsec1convxlanout
from left side it detects the connection as </font></font><font
face="DejaVu Serif"><font face="DejaVu Serif"><font face="DejaVu
Serif">ipsec9convxlanin.... <br>
</font></font></font></p>
<p><font face="DejaVu Serif"><font face="DejaVu Serif"><font
face="DejaVu Serif">If i can "dial out" from the right to
the left side (removing the nat issue), all is ok.</font></font></font></p>
<p><font face="DejaVu Serif"><br>
</font></p>
<p><font face="DejaVu Serif">Can i do this with my current configuration?
Or i should defined two different connections (different ids)?<br>
</font></p>
<br>
<br>
<div class="moz-cite-prefix">On 01/25/2018 03:39 PM, Paul Wouters
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:alpine.LRH.2.21.1801250936290.27126@bofh.nohats.ca">On
Tue, 23 Jan 2018, António Silva wrote:
<br>
<br>
<blockquote type="cite">I try to set the leftprotoport /
rightprotoport=udp/4789 , i can ping the ip on boxB going trough
the vxlan but the traffic is not encrypted..
<br>
</blockquote>
<br>
Well yes, ping does not use udp port 4789 :)
<br>
<br>
<blockquote type="cite">Sowmini, you suggest using two tunnels,
how should they be?
<br>
</blockquote>
<br>
<blockquote type="cite">conn boxA
<br>
</blockquote>
[...]
<br>
<blockquote type="cite"> leftprotoport=udp/4789
<br>
rightprotoport=udp/4789
<br>
</blockquote>
<br>
I think you want:
<br>
<br>
conn boxA-out
<br>
[...]
<br>
leftprotoport=udp
<br>
rightprotoport=udp/4789
<br>
<br>
conn boxA-in
<br>
[...]
<br>
leftprotoport=udp/4789
<br>
rightprotoport=udp
<br>
<br>
That covers two flows, any ephemeral port to remote udp 4789
<br>
and any ephemeral port from remote to local udp 4789
<br>
<br>
Paul
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Saludos / Regards / Cumprimentos
Anónio Silva</pre>
</body>
</html>