On Fri, 6 Jul 2018 12:49:44 -0400 (EDT) Paul Wouters <[email protected]> wrote:
> This is the 2nd report I get of updown not working properly, and > removing the vti kernel module, that removes the ip_vti0 interface, > resolves the issue ? That sounds like a bug in vti code. > Should we revert configuring obtained IP addresses on the loopback? I don't think that has anything to do with the issue. > Or can we do something else prventing the bad interaction with > ip_vti0 ? We can stop loading vti module by default. > Note that no vti-* options or marking was used for this configuration. Yes, but is it possible those have been used before, after last reboot? > Paul > > -------- Forwarded Message -------- > Subject: vpn.nohats.ca setup - fixed > From: Francesco Giudici <[email protected]> > To: Paul Wouters <[email protected]> > Date: Fri, 6 Jul 2018 11:24:50 +0200 > > I found the root cause of the issues I was experiencing with the > setup. I had two issues: > 1) the ""vpn.nohats.ca": We cannot identify ourselves with either end > of this connection. 193.110.157.148 or 193.110.157.148 are not > usable" error 2) bypassing 1 with left=%MYIP, I was not able to > route/forward correctly packets through the VPN, resulting in no > traffic > > TL;DR: when starting ipsec I noticed the ip_vti kernel module is > loaded. When loaded, it creates a default interface ip_vti0. Removing > the module before adding the vpn.nohats.ca connection fixed both > issues 1 and 2. Everything worked as expected. > > -- long version -- > Diagnosing issue 2) I found the network config looked weird: the > address gained from CP was added to the lo interface. The new default > routes so where added as "link scope". Mangling the network (I moved > the CP address on the main interface and updated the routes) I was > able to let packet flow through the VPN (I could see the ESP packets > going in both directions) but still not end to end connectivity... > I noticed that the clear text traffic arrived on a ip_vti0 > interface... so, removing the ip_vti module before starting the > connection did the trick. > > All of this on F28, both Desktop and client. > > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
