Re: [Swan] VTI issue to SRX unable to send traffic through the interface

Wed, 01 Nov 2017 07:10:52 -0700 

On Wed, 1 Nov 2017, Paul Tran wrote:


Thanks for looking at things. You mentioned I would need to have a "key" entry 
matching the mark number in your
config (5). I am trying to find out how I would define that key entry in the 
config I am reading the
https://libreswan.org/man/ipsec.conf.5.html and not sure what I am missing.
I also looked at other configs that people said they had working but still 
didn't see what I needed to add.

The information you asked about is below but I am not seeing anything that 
points me in a direction.


IP tunnel

vti201: ip/ip  remote 102.167.4.2  local 172.31.140.0  ttl inherit  key 5


At the end of the line you see "key 5" which matches your mark=5. So
everything you route into this device will gain that mark value of 5,
and then it would match the ip xfrm policy rule and get encrypted.
(provided the source/dest also falls within that policy)


Pluto ipsec.conf syntax                                 [OK]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
 /proc/sys/net/ipv4/conf/eth1/rp_filter                 [ENABLED]
 /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/tun0/rp_filter                 [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled


I would try disabling rp_filter because it might be causing your packets
to be dropped.


I also disabled rf_filter via sysctl.conf for everything temporarily and still 
nothing.

 ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
From 192.168.10.2 icmp_seq=1 Destination Host Unreachable
From 192.168.10.2 icmp_seq=2 Destination Host Unreachable

Route table shows
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 vti201
192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 vti201

vti201: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 8981
        inet 192.168.10.2  netmask 255.255.255.0  destination 192.168.10.2
        tunnel   txqueuelen 1  (IPIP Tunnel)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 19  dropped 0 overruns 0  carrier 19  collisions 0


It shows TX errors, so it seemed to have gotten dropped. Check out:

cat /proc/net/xfrm_stat

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to