Re: [Swan] vxlan support

Paul Wouters Sat, 12 May 2018 16:17:11 -0700

On Sat, 12 May 2018, antonio wrote:

Thanks Paul, this work defined but i think i found a issue, the left/right 
protocol are not respected... and
so the tunnels are partial up and i cannot send vxlan traffic through the vpn.


My current conf is (boxA and boxB - reverted left/right params):

conn ipsec9convxlanout
        also=ipsec9convxlan
        leftprotoport=17/0
        rightprotoport=17/4789
        auto=start

conn ipsec9convxlanin
        also=ipsec9convxlan
        leftprotoport=17/4789
        rightprotoport=17/0
        auto=start

conn ipsec9convxlan
        type=transport
        leftrsasigkey=%cert
        leftcert=LabVxLANandDemoVxLAN
        rightrsasigkey=%cert
        leftid=@LabVxLAN
        left=192.168.1.108
        right=20.20.10.4
        rightid=@DemoVxLAN
        dpddelay=30
        dpdtimeout=60
        dpdaction=restart


That should work.


My left side is behind NAT and i cannot force port 500 or 4500 to libreswan 
box, so i end up with partial
tunnels up.


The NAT should not matter as long as one end is not behind NAT (or
behind a port forward)

left both conns are up:

ipsec whack --trafficstatus
006 #3: "ipsec1convxlanin", type=ESP, add_time=1526136419, inBytes=0, 
outBytes=0, id='@LabVxLAN'
006 #2: "ipsec1convxlanout", type=ESP, add_time=1526136418, inBytes=0, 
outBytes=0, id='@LabVxLAN'


Although no traffic has ever matched these tunnels as the byte counters
are all zero.


right side is wrong:
ipsec whack --trafficstatus
006 #6: "ipsec9convxlanin", type=ESP, add_time=1526136418, inBytes=0, 
outBytes=0, id='@DemoVxLAN'
006 #7: "ipsec9convxlanin", type=ESP, add_time=0, inBytes=0, outBytes=0, 
id='@DemoVxLAN'


That's odd. you should check the logs what happened. It looks like one
might have replaced the other.

When connecting the  ipsec1convxlanout from left side it detects the connection 
as ipsec9convxlanin....


During the IKE negotiation, pluto cannot yet tell which of the two will
match. It is perfectly normal for it to "switch" from one conn to the
other once it learns the phase2/ipsec selectors.

Can i do this with my current configuration? Or i should defined two different 
connections (different ids)?


You can do that but it should not be needed.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] vxlan support

Reply via email to