Hi,
I'm running Fedora 26 with libreswan 3.23 and trying to setup a
host-to-host tunnel using the VTI functionality.
Host A 10.48.28.81
ipsec.conf
config setup
logfile=/var/log/pluto.log
conn myvpn
left=10.48.28.81
right=10.48.28.82
authby=secret
auto=start
mark=5/0xffffffff
vti-interface=ipsec0
vti-routing=yes
Host B 10.48.28.82
ipsec.conf
config setup
logfile=/var/log/pluto.log
conn myvpn
left=10.48.28.82
right=10.48.28.81
authby=secret
auto=start
mark=5/0xffffffff
vti-interface=ipsec0
vti-routing=yes
The routes to the ipsec0 interfaces are created:
On A:
# ip -4 r show table unspec | grep ipsec
10.48.28.82 dev ipsec0 scope link
On B:
# ip -4 r show table unspec | grep ipsec
10.48.28.81 dev ipsec0 scope link
On both endpoints I see the following message in pluto.log:
Mar 5 18:07:08.024994: initiate on demand from 10.48.28.81:500 to
10.48.28.82:500 proto=17 because: acquire
and
Mar 5 17:54:10.820913: initiate on demand from 10.48.28.82:500 to
10.48.28.81:500 proto=17 because: acquire
The end of the ipsec status command output yields:
On A:
000 Bare Shunt list:
000
000 10.48.28.81/32:500 -17-> 10.48.28.82/32:500 => %hold 0
%acquire-netlink
On B:
000 Bare Shunt list:
000
000 10.48.28.82/32:500 -17-> 10.48.28.81/32:500 => %hold 0
%acquire-netlink
Kernel state on A:
# ip -s x s
src 10.48.28.81 dst 10.48.28.82
proto esp spi 0x00000000(0) reqid 0(0x00000000) mode transport
replay-window 0 seq 0x00000003 flag (0x00000000)
mark 0x5/0xffffffff
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.48.28.81/32 dst 10.48.28.82/32 proto udp sport 500 dport 500
dev ipsec0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 300(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-03-05 18:17:48 use -
stats:
replay-window 0 replay 0 failed 0
Kernel state on B:
# ip -s x s
src 10.48.28.82 dst 10.48.28.81
proto esp spi 0x00000000(0) reqid 0(0x00000000) mode transport
replay-window 0 seq 0x00000005 flag (0x00000000)
mark 0x5/0xffffffff
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.48.28.82/32 dst 10.48.28.81/32 proto udp sport 500 dport 500
dev ipsec0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 300(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-03-05 18:15:32 use -
stats:
replay-window 0 replay 0 failed
Kernel policy on A:
# ip -s x p
src 10.48.28.81/32 dst 10.48.28.82/32 uid 0
dir out action allow index 161 priority 2080 ptype main share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-03-05 18:07:07 use -
mark 0x5/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp spi 0x00000000(0) reqid 0(0x00000000) mode transport
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
Kernel policy on B:
# ip -s x p
src 10.48.28.82/32 dst 10.48.28.81/32 uid 0
dir out action allow index 161 priority 2080 ptype main share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-03-05 17:54:10 use -
mark 0x5/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp spi 0x00000000(0) reqid 0(0x00000000) mode transport
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
Is this setup/configuration even possible? Maybe I'm missing some
fundamentals here :)
I've successfully got VTI to work with a subnet-to-subnet configuration
(left/rightsubnet).
Any suggestions much appreciated.
Thanks,
Erik
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
