Re: [Swan] vxlan support

Sat, 12 May 2018 08:46:09 -0700 

Hi,
Thanks Paul, this work defined but i think i found a issue, the left/right protocol are not respected... and so the tunnels are partial up and i cannot send vxlan traffic through the vpn. 


My current conf is (boxA and boxB - reverted left/right params):

conn ipsec9convxlanout
        also=ipsec9convxlan
        leftprotoport=17/0
        rightprotoport=17/4789
        auto=start

conn ipsec9convxlanin
        also=ipsec9convxlan
        leftprotoport=17/4789
        rightprotoport=17/0
        auto=start

conn ipsec9convxlan
        type=transport
        leftrsasigkey=%cert
        leftcert=LabVxLANandDemoVxLAN
        rightrsasigkey=%cert
        leftid=@LabVxLAN
        left=192.168.1.108
        right=20.20.10.4
        rightid=@DemoVxLAN
        dpddelay=30
        dpdtimeout=60
        dpdaction=restart



My left side is behind NAT and i cannot force port 500 or 4500 to 
libreswan box, so i end up with partial tunnels up.


left both conns are up:

ipsec whack --trafficstatus

006 #3: "ipsec1convxlanin", type=ESP, add_time=1526136419, inBytes=0, 
outBytes=0, id='@LabVxLAN'
006 #2: "ipsec1convxlanout", type=ESP, add_time=1526136418, inBytes=0, 
outBytes=0, id='@LabVxLAN'



right side is wrong:
ipsec whack --trafficstatus

006 #6: "ipsec9convxlanin", type=ESP, add_time=1526136418, inBytes=0, 
outBytes=0, id='@DemoVxLAN'
006 #7: "ipsec9convxlanin", type=ESP, add_time=0, inBytes=0, outBytes=0, 
id='@DemoVxLAN'


/Expected:ipsec whack --trafficstatus

006 #6: "ipsec9convxlanin", type=ESP, add_time=1526136418, inBytes=0, 
outBytes=0, id='@DemoVxLAN'
006 #7: "ipsec9convxlanout", type=ESP, add_time=//1526136418, inBytes=0, 
outBytes=0, id='@DemoVxLAN'/




When connecting the ipsec1convxlanout from left side it detects the 
connection as ipsec9convxlanin....



If i can "dial out" from the right to the left side (removing the nat 
issue), all is ok.




Can i do this with my current configuration? Or i should defined two 
different connections (different ids)?




On 01/25/2018 03:39 PM, Paul Wouters wrote:

On Tue, 23 Jan 2018, António Silva wrote:


I try to set the leftprotoport / rightprotoport=udp/4789 , i can ping 
the ip on boxB going trough the vxlan but the traffic is not encrypted..


Well yes, ping does not use udp port 4789 :)


Sowmini, you suggest using two tunnels, how should they be?



conn boxA

[...]

    leftprotoport=udp/4789
    rightprotoport=udp/4789


I think you want:

conn boxA-out
    [...]
    leftprotoport=udp
    rightprotoport=udp/4789

conn boxA-in
    [...]
    leftprotoport=udp/4789
    rightprotoport=udp

That covers two flows, any ephemeral port to remote udp 4789
and any ephemeral port from remote to local udp 4789

Paul


--
Saludos / Regards / Cumprimentos
Anónio Silva


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to