Hi, I have started to look into XFRMi interfaces in 3.31. I set up a ubuntu server and then compiled 3.31 on it. The results a bit confusing though, the tunnel in itself appears to come up fine but somehow the link the interface appears to be "unstable". I observed 2 issue and I'm currently wondering if I did something wrong.
1.: When the tunnel comes it is stable and I can ping across the link. After a few hours of idle thought while the tunnel still appears to come up again with DPD can I not ping across the xfrmi interface I noticed as well that when I run IPSec status that instead of just have 1 SA, the ping attempts will create multiple new SA's 2.: The ultimate goal for me is to use ECMP over 2 tunnels. So I created 2 tunnel configurations over 2 separate links. Both tunnels are coming up while "ipsec status" shows the associated interfaces when I check with "ip link" only one of the interfaces (ipsec1@ens192) was created and with "ipsec traffic" I was able to verify that the actual traffic went through the tunnel which was associated with (ipsec1@ens224) Below is the output from my lab setup. I tested the same scenario with VTI interfaces on 3.27 but I only set the mark in the ipsec configuration created the ip interfaces separate as I run into similar issues. I thought the xfrmi interfaces might be a better solution though. Any help or hint would be appreciated Lab Config 000 Connection list: 000 000 "LINKEASTETH1-LINKWESTETH1": 10.0.0.0/8===1.0.1.10<1.0.1.10>[@LINKEASTETH1]...1.0.1.1<1.0.1.1>[@LINKWESTETH1]===10.0.0.0/8; erouted; eroute owner: #2 000 "LINKEASTETH1-LINKWESTETH1": oriented; my_ip=10.10.10.1; their_ip=10.10.11.1; my_updown=ipsec _updown; 000 "LINKEASTETH1-LINKWESTETH1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "LINKEASTETH1-LINKWESTETH1": our auth:secret, their auth:secret 000 "LINKEASTETH1-LINKWESTETH1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "LINKEASTETH1-LINKWESTETH1": policy_label:unset; 000 "LINKEASTETH1-LINKWESTETH1": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "LINKEASTETH1-LINKWESTETH1": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "LINKEASTETH1-LINKWESTETH1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "LINKEASTETH1-LINKWESTETH1": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "LINKEASTETH1-LINKWESTETH1": v2-auth-hash-policy: none; 000 "LINKEASTETH1-LINKWESTETH1": conn_prio: 8,8; interface: ipsec1@ens192; metric: 0; mtu: 1480; sa_prio:auto; sa_tfc:none; 000 "LINKEASTETH1-LINKWESTETH1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "LINKEASTETH1-LINKWESTETH1": our idtype: ID_FQDN; our id=@LINKEASTETH1; their idtype: ID_FQDN; their id=@LINKWESTETH1 000 "LINKEASTETH1-LINKWESTETH1": dpd: action:hold; delay:1; timeout:5; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "LINKEASTETH1-LINKWESTETH1": newest ISAKMP SA: #8; newest IPsec SA: #2; 000 "LINKEASTETH1-LINKWESTETH1": IKE algorithms: AES_CBC_256-HMAC_SHA2_512-DH21 000 "LINKEASTETH1-LINKWESTETH1": IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_512-DH21 000 "LINKEASTETH1-LINKWESTETH1": ESP algorithms: AES_CBC_256-HMAC_SHA2_512_256-MODP8192 000 "LINKEASTETH1-LINKWESTETH1": ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=MODP8192 000 "LINKEASTETH2-LINKWESTETH3": 10.0.0.0/8===1.0.0.10<1.0.0.10>[@LINKEASTETH2]...1.0.0.1<1.0.0.1>[@LINKWESTETH3]===10.0.0.0/8; erouted; eroute owner: #4 000 "LINKEASTETH2-LINKWESTETH3": oriented; my_ip=10.10.10.1; their_ip=10.10.11.1; my_updown=ipsec _updown; 000 "LINKEASTETH2-LINKWESTETH3": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "LINKEASTETH2-LINKWESTETH3": our auth:secret, their auth:secret 000 "LINKEASTETH2-LINKWESTETH3": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "LINKEASTETH2-LINKWESTETH3": policy_label:unset; 000 "LINKEASTETH2-LINKWESTETH3": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "LINKEASTETH2-LINKWESTETH3": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "LINKEASTETH2-LINKWESTETH3": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "LINKEASTETH2-LINKWESTETH3": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "LINKEASTETH2-LINKWESTETH3": v2-auth-hash-policy: none; 000 "LINKEASTETH2-LINKWESTETH3": conn_prio: 8,8; interface: ipsec1@ens224; metric: 0; mtu: 1480; sa_prio:auto; sa_tfc:none; 000 "LINKEASTETH2-LINKWESTETH3": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "LINKEASTETH2-LINKWESTETH3": our idtype: ID_FQDN; our id=@LINKEASTETH2; their idtype: ID_FQDN; their id=@LINKWESTETH3 000 "LINKEASTETH2-LINKWESTETH3": dpd: action:hold; delay:1; timeout:5; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "LINKEASTETH2-LINKWESTETH3": newest ISAKMP SA: #7; newest IPsec SA: #4; 000 "LINKEASTETH2-LINKWESTETH3": IKE algorithms: AES_CBC_256-HMAC_SHA2_512-DH21 000 "LINKEASTETH2-LINKWESTETH3": IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_512-DH21 000 "LINKEASTETH2-LINKWESTETH3": ESP algorithms: AES_CBC_256-HMAC_SHA2_512_256-MODP8192 000 "LINKEASTETH2-LINKWESTETH3": ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=MODP8192 000 000 Total IPsec connections: loaded 2, active 2 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0) 000 IPsec SAs: total(2), authenticated(2), anonymous(0) 000 000 #2: "LINKEASTETH1-LINKWESTETH1":500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REKEY in 22855s; newest IPSEC; eroute owner; isakmp#8; idle; 000 #2: "LINKEASTETH1-LINKWESTETH1" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=588B ESPout=588B! ESPmax=0B 000 #8: "LINKEASTETH1-LINKWESTETH1":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REKEY in 3084s; newest ISAKMP; idle; 000 #4: "LINKEASTETH2-LINKWESTETH3":500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_REKEY in 22862s; newest IPSEC; eroute owner; isakmp#7; idle; 000 #4: "LINKEASTETH2-LINKWESTETH3" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=464KB ESPout=464KB! ESPmax=0B 000 #7: "LINKEASTETH2-LINKWESTETH3":500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REKEY in 3031s; newest ISAKMP; idle; 000 000 Bare Shunt list: 000 root@linkeast:/etc/ipsec.d# ipsec traffic 006 #2: "LINKEASTETH1-LINKWESTETH1", type=ESP, add_time=1587720308, inBytes=588, outBytes=588, id='@LINKWESTETH1' 006 #4: "LINKEASTETH2-LINKWESTETH3", type=ESP, add_time=1587720315, inBytes=475860, outBytes=475860, id='@LINKWESTETH3' 28: ipsec1@ens192: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/none Stay safe and thank you Rene
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
