Hi, You surely did not disable the installation of the routing. It needs to be disabled for VTIs to work.
Kind regards Noel On 05.12.2017 19:08, Isaac Sutherland wrote: > I'm setting up a route-based strongswan site-to-site VTI tunnel between a > Ubuntu 16.04 host and a Cisco VPN. I'm trying to start very simple - just get > a vti ikev1 aes-256/sha1 tunnel up and ping the private IP of the remote end. > It smells like it's almost working (I'm getting ESP packets from the Cisco > router) but my outgoing packets don't get encrypted nor are they routed to > the remote endpoint -- they're just sent plaintext on the public interface > which obviously doesn't work because the packets are using private-subnet > IPs. Note I don't have control over the Cisco side of the VPN so my > diagnostic/debugging capacity on that end is limited. > > Bring up: > ip tunnel add vti0 mode vti local <local-public-ip> remote <remote-public-ip> > okey 32 ikey 32 > ip link set vti0 up > ip addr add 10.21.0.2 dev vti0 > ip route add 10.21.0.1 dev vti0 > sysctl -w "net.ipv4.conf.vti0.disable_policy=1" > > /etc/ipsec.conf: > conn VTI > keyexchange=ikev1 > ike=aes256-sha1-modp1024 > esp=aes256-sha1! > left=<local-public-ip> > leftid=<local-public-ip> > leftsubnet=10.21.0.2/32 <http://10.21.0.2/32> > leftauth=psk > rightauth=psk > right=<remote-public-ip> > rightid=<remote-public-ip> > rightsubnet=10.21.0.1/32 <http://10.21.0.1/32> > mark=32 > auto=start > > $ sudo ipsec statusall > Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.9.50-x86_64-linode86, > x86_64): > uptime: 5 seconds, since Dec 05 17:48:55 2017 > malloc: sbrk 2408448, mmap 0, used 366432, free 2042016 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 2 > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce > x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey > pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve > socket-default connmark stroke updown > Listening IP addresses: > <local-public-ip> > 10.21.0.2 > Connections: > VTI: <local-public-ip>...<remote-public-ip> IKEv1 > VTI: local: [<local-public-ip>] uses pre-shared key authentication > VTI: remote: [<remote-public-ip>] uses pre-shared key > authentication > VTI: child: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> TUNNEL > Security Associations (1 up, 0 connecting): > VTI[1]: ESTABLISHED 5 seconds ago, > <local-public-ip>[<local-public-ip>]...<remote-public-ip>[<remote-public-ip>] > VTI[1]: IKEv1 SPIs: f161f8c0def835fe_i* 1fe93eb02d49cd32_r, > pre-shared key reauthentication in 2 hours > VTI[1]: IKE proposal: > AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > VTI{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: caf87319_i 50a12c2b_o > VTI{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in > 47 minutes > VTI{1}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > > $ sudo tcpdump -i eth0 host <remote-public-ip> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes > 17:52:28.535462 IP <remote-hostname> > <local-hostname>: > ESP(spi=0xcd3f3177,seq=0x4), length 100 > 17:52:51.404751 IP <remote-hostname> > <local-hostname>: > ESP(spi=0xcd3f3177,seq=0x5), length 100 > 17:52:53.404466 IP <remote-hostname> > <local-hostname>: > ESP(spi=0xcd3f3177,seq=0x6), length 100 > 17:52:57.404483 IP <remote-hostname> > <local-hostname>: > ESP(spi=0xcd3f3177,seq=0x7), length 100 > 17:53:05.404418 IP <remote-hostname> > <local-hostname>: > ESP(spi=0xcd3f3177,seq=0x8), length 100 > > If I run a tcpdump on eth0 while pinging 10.21.0.1 from my Ubuntu host I get: > > $ sudo tcpdump -i eth0 host 10.21.0.2 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes > 17:55:51.060099 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo > request, id 8305, seq 1, length 64 > 17:55:52.073711 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo > request, id 8305, seq 2, length 64 > 17:55:53.087071 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo > request, id 8305, seq 3, length 64 > 17:55:54.100374 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo > request, id 8305, seq 4, length 64 > 17:55:55.113690 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo > request, id 8305, seq 5, length 64 > 17:55:56.127045 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo > request, id 8305, seq 6, length 64 > 17:55:57.140397 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo > request, id 8305, seq 7, length 64 > 17:55:58.153678 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo > request, id 8305, seq 8, length 64 > > where eth0 is my public Internet interface on the Ubuntu box. And no traffic > on the vti0 interface. > > $ ip route show > default via 198.74.60.1 dev eth0 onlink > 10.21.0.1 dev vti0 scope link > > Another detail is that the connection seems to be dropping out and coming > back up periodically, as you can gather from the following, taken a few > minutes later: > $ sudo ipsec statusall > Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.9.50-x86_64-linode86, > x86_64): > uptime: 12 minutes, since Dec 05 17:48:55 2017 > malloc: sbrk 2408448, mmap 0, used 476512, free 1931936 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 2 > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce > x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey > pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve > socket-default connmark stroke updown > Listening IP addresses: > <local-public-ip> > 10.21.0.2 > Connections: > VTI: <local-public-ip>...<remote-public-ip> IKEv1 > VTI: local: [<local-public-ip>] uses pre-shared key authentication > VTI: remote: [<remote-public-ip>] uses pre-shared key > authentication > VTI: child: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> TUNNEL > Security Associations (1 up, 0 connecting): > VTI[1]: ESTABLISHED 12 minutes ago, > <local-public-ip>[<local-public-ip>]...<remote-public-ip>[<remote-public-ip>] > VTI[1]: IKEv1 SPIs: f161f8c0def835fe_i* 1fe93eb02d49cd32_r, > pre-shared key reauthentication in 2 hours > VTI[1]: IKE proposal: > AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > VTI{1}: REKEYED, TUNNEL, reqid 1, expires in 47 minutes > VTI{1}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce1cd0f3_i 219c09e7_o > VTI{2}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in > 35 minutes > VTI{2}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4f08265_i 943423ca_o > VTI{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in > 34 minutes > VTI{3}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{4}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0551732_i 590f641e_o > VTI{4}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in > 35 minutes > VTI{4}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{5}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c6fc0b2e_i 43a45c53_o > VTI{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in > 33 minutes > VTI{5}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{6}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c123ce23_i 3d106f6b_o > VTI{6}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in > 32 minutes > VTI{6}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{7}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd3f3177_i 486dadf9_o > VTI{7}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in > 32 minutes > VTI{7}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{8}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c057f07c_i ac31a9cf_o > VTI{8}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in > 40 minutes > VTI{8}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{9}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cbd22eb8_i 2c02b93e_o > VTI{9}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in > 37 minutes > VTI{9}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{10}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf9d7de4_i f9bbf3ac_o > VTI{10}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 40 minutes > VTI{10}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{11}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0818f2d_i 4db195e5_o > VTI{11}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 37 minutes > VTI{11}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{12}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2b3b560_i 7c6f64a0_o > VTI{12}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 40 minutes > VTI{12}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{13}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c27ad328_i aa40b268_o > VTI{13}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 38 minutes > VTI{13}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{14}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2c27758_i 2a5e1d65_o > VTI{14}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 42 minutes > VTI{14}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{15}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf9658c4_i fd65ee58_o > VTI{15}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 38 minutes > VTI{15}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{16}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c67182e0_i a30b98ad_o > VTI{16}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 39 minutes > VTI{16}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{17}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7749046_i acab5447_o > VTI{17}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 38 minutes > VTI{17}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{18}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb7025b6_i 62e2a1e3_o > VTI{18}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 40 minutes > VTI{18}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{19}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce24136a_i 2b1975ff_o > VTI{19}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 41 minutes > VTI{19}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{20}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb6a23c7_i a580c19a_o > VTI{20}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 40 minutes > VTI{20}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{21}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd13d44b_i eba4a1eb_o > VTI{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 41 minutes > VTI{21}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{22}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd6048b0_i e28c1ba5_o > VTI{22}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 41 minutes > VTI{22}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > VTI{23}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cae775b9_i 50852308_o > VTI{23}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > in 45 minutes > VTI{23}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 > <http://10.21.0.1/32> > -- > Isaac Sutherland > Software Designer > TMV Control Systems Inc. > 519-624-8219 x103
signature.asc
Description: OpenPGP digital signature
