For the record, putting the changes in /etc/strongswan.conf works fine, but on a Ubuntu 16.04 system the recommended location is /etc/strongswan.d/charon.conf, where the install_routes directive is already populated but commented out.
Further, for the kind of setup I'm doing, the strongswan RouteBasedVPN page advises to set both install_routes = no AND install_virtual_ip = no, both of which may be found in the /etc/strongswan.d/charon.conf on a Ubuntu 16.04 system. On Tue, Dec 5, 2017 at 3:38 PM Isaac Sutherland <[email protected]> wrote: > Thanks Noel, that was what I needed. Packets started making it through the > tunnel after I added "install_routes = no" to the default > /etc/strongswan.conf file: > > # strongswan.conf - strongSwan configuration file > # > # Refer to the strongswan.conf(5) manpage for details > # > # Configuration changes should be made in the included files > > charon { > load_modular = yes > * install_routes = no* > plugins { > include strongswan.d/charon/*.conf > } > } > > include strongswan.d/*.conf > > On Tue, Dec 5, 2017 at 3:00 PM Noel Kuntze > <[email protected]> wrote: > >> Hi, >> >> You surely did not disable the installation of the routing. It needs to >> be disabled for VTIs to work. >> >> Kind regards >> >> Noel >> >> On 05.12.2017 19:08, Isaac Sutherland wrote: >> > I'm setting up a route-based strongswan site-to-site VTI tunnel between >> a Ubuntu 16.04 host and a Cisco VPN. I'm trying to start very simple - just >> get a vti ikev1 aes-256/sha1 tunnel up and ping the private IP of the >> remote end. It smells like it's almost working (I'm getting ESP packets >> from the Cisco router) but my outgoing packets don't get encrypted nor are >> they routed to the remote endpoint -- they're just sent plaintext on the >> public interface which obviously doesn't work because the packets are using >> private-subnet IPs. Note I don't have control over the Cisco side of the >> VPN so my diagnostic/debugging capacity on that end is limited. >> > >> > Bring up: >> > ip tunnel add vti0 mode vti local <local-public-ip> remote >> <remote-public-ip> okey 32 ikey 32 >> > ip link set vti0 up >> > ip addr add 10.21.0.2 dev vti0 >> > ip route add 10.21.0.1 dev vti0 >> > sysctl -w "net.ipv4.conf.vti0.disable_policy=1" >> > >> > /etc/ipsec.conf: >> > conn VTI >> > keyexchange=ikev1 >> > ike=aes256-sha1-modp1024 >> > esp=aes256-sha1! >> > left=<local-public-ip> >> > leftid=<local-public-ip> >> > leftsubnet=10.21.0.2/32 <http://10.21.0.2/32> >> > leftauth=psk >> > rightauth=psk >> > right=<remote-public-ip> >> > rightid=<remote-public-ip> >> > rightsubnet=10.21.0.1/32 <http://10.21.0.1/32> >> > mark=32 >> > auto=start >> > >> > $ sudo ipsec statusall >> > Status of IKE charon daemon (strongSwan 5.3.5, Linux >> 4.9.50-x86_64-linode86, x86_64): >> > uptime: 5 seconds, since Dec 05 17:48:55 2017 >> > malloc: sbrk 2408448, mmap 0, used 366432, free 2042016 >> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 2 >> > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random >> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp >> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr >> kernel-netlink resolve socket-default connmark stroke updown >> > Listening IP addresses: >> > <local-public-ip> >> > 10.21.0.2 >> > Connections: >> > VTI: <local-public-ip>...<remote-public-ip> IKEv1 >> > VTI: local: [<local-public-ip>] uses pre-shared key >> authentication >> > VTI: remote: [<remote-public-ip>] uses pre-shared key >> authentication >> > VTI: child: 10.21.0.2/32 <http://10.21.0.2/32> === >> 10.21.0.1/32 <http://10.21.0.1/32> TUNNEL >> > Security Associations (1 up, 0 connecting): >> > VTI[1]: ESTABLISHED 5 seconds ago, >> <local-public-ip>[<local-public-ip>]...<remote-public-ip>[<remote-public-ip>] >> > VTI[1]: IKEv1 SPIs: f161f8c0def835fe_i* 1fe93eb02d49cd32_r, >> pre-shared key reauthentication in 2 hours >> > VTI[1]: IKE proposal: >> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 >> > VTI{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: caf87319_i >> 50a12c2b_o >> > VTI{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 47 minutes >> > VTI{1}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > >> > $ sudo tcpdump -i eth0 host <remote-public-ip> >> > tcpdump: verbose output suppressed, use -v or -vv for full protocol >> decode >> > listening on eth0, link-type EN10MB (Ethernet), capture size 262144 >> bytes >> > 17:52:28.535462 IP <remote-hostname> > <local-hostname>: >> ESP(spi=0xcd3f3177,seq=0x4), length 100 >> > 17:52:51.404751 IP <remote-hostname> > <local-hostname>: >> ESP(spi=0xcd3f3177,seq=0x5), length 100 >> > 17:52:53.404466 IP <remote-hostname> > <local-hostname>: >> ESP(spi=0xcd3f3177,seq=0x6), length 100 >> > 17:52:57.404483 IP <remote-hostname> > <local-hostname>: >> ESP(spi=0xcd3f3177,seq=0x7), length 100 >> > 17:53:05.404418 IP <remote-hostname> > <local-hostname>: >> ESP(spi=0xcd3f3177,seq=0x8), length 100 >> > >> > If I run a tcpdump on eth0 while pinging 10.21.0.1 from my Ubuntu host >> I get: >> > >> > $ sudo tcpdump -i eth0 host 10.21.0.2 >> > tcpdump: verbose output suppressed, use -v or -vv for full protocol >> decode >> > listening on eth0, link-type EN10MB (Ethernet), capture size 262144 >> bytes >> > 17:55:51.060099 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo >> request, id 8305, seq 1, length 64 >> > 17:55:52.073711 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo >> request, id 8305, seq 2, length 64 >> > 17:55:53.087071 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo >> request, id 8305, seq 3, length 64 >> > 17:55:54.100374 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo >> request, id 8305, seq 4, length 64 >> > 17:55:55.113690 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo >> request, id 8305, seq 5, length 64 >> > 17:55:56.127045 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo >> request, id 8305, seq 6, length 64 >> > 17:55:57.140397 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo >> request, id 8305, seq 7, length 64 >> > 17:55:58.153678 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo >> request, id 8305, seq 8, length 64 >> > >> > where eth0 is my public Internet interface on the Ubuntu box. And no >> traffic on the vti0 interface. >> > >> > $ ip route show >> > default via 198.74.60.1 dev eth0 onlink >> > 10.21.0.1 dev vti0 scope link >> > >> > Another detail is that the connection seems to be dropping out and >> coming back up periodically, as you can gather from the following, taken a >> few minutes later: >> > $ sudo ipsec statusall >> > Status of IKE charon daemon (strongSwan 5.3.5, Linux >> 4.9.50-x86_64-linode86, x86_64): >> > uptime: 12 minutes, since Dec 05 17:48:55 2017 >> > malloc: sbrk 2408448, mmap 0, used 476512, free 1931936 >> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 2 >> > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random >> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp >> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr >> kernel-netlink resolve socket-default connmark stroke updown >> > Listening IP addresses: >> > <local-public-ip> >> > 10.21.0.2 >> > Connections: >> > VTI: <local-public-ip>...<remote-public-ip> IKEv1 >> > VTI: local: [<local-public-ip>] uses pre-shared key >> authentication >> > VTI: remote: [<remote-public-ip>] uses pre-shared key >> authentication >> > VTI: child: 10.21.0.2/32 <http://10.21.0.2/32> === >> 10.21.0.1/32 <http://10.21.0.1/32> TUNNEL >> > Security Associations (1 up, 0 connecting): >> > VTI[1]: ESTABLISHED 12 minutes ago, >> <local-public-ip>[<local-public-ip>]...<remote-public-ip>[<remote-public-ip>] >> > VTI[1]: IKEv1 SPIs: f161f8c0def835fe_i* 1fe93eb02d49cd32_r, >> pre-shared key reauthentication in 2 hours >> > VTI[1]: IKE proposal: >> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 >> > VTI{1}: REKEYED, TUNNEL, reqid 1, expires in 47 minutes >> > VTI{1}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce1cd0f3_i >> 219c09e7_o >> > VTI{2}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 35 minutes >> > VTI{2}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4f08265_i >> 943423ca_o >> > VTI{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 34 minutes >> > VTI{3}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{4}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0551732_i >> 590f641e_o >> > VTI{4}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 35 minutes >> > VTI{4}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{5}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c6fc0b2e_i >> 43a45c53_o >> > VTI{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 33 minutes >> > VTI{5}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{6}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c123ce23_i >> 3d106f6b_o >> > VTI{6}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 32 minutes >> > VTI{6}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{7}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd3f3177_i >> 486dadf9_o >> > VTI{7}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 32 minutes >> > VTI{7}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{8}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c057f07c_i >> ac31a9cf_o >> > VTI{8}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 40 minutes >> > VTI{8}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{9}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cbd22eb8_i >> 2c02b93e_o >> > VTI{9}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 37 minutes >> > VTI{9}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{10}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf9d7de4_i >> f9bbf3ac_o >> > VTI{10}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 40 minutes >> > VTI{10}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{11}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0818f2d_i >> 4db195e5_o >> > VTI{11}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 37 minutes >> > VTI{11}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{12}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2b3b560_i >> 7c6f64a0_o >> > VTI{12}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 40 minutes >> > VTI{12}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{13}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c27ad328_i >> aa40b268_o >> > VTI{13}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 38 minutes >> > VTI{13}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{14}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2c27758_i >> 2a5e1d65_o >> > VTI{14}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 42 minutes >> > VTI{14}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{15}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf9658c4_i >> fd65ee58_o >> > VTI{15}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 38 minutes >> > VTI{15}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{16}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c67182e0_i >> a30b98ad_o >> > VTI{16}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 39 minutes >> > VTI{16}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{17}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7749046_i >> acab5447_o >> > VTI{17}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 38 minutes >> > VTI{17}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{18}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb7025b6_i >> 62e2a1e3_o >> > VTI{18}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 40 minutes >> > VTI{18}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{19}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce24136a_i >> 2b1975ff_o >> > VTI{19}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 41 minutes >> > VTI{19}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{20}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb6a23c7_i >> a580c19a_o >> > VTI{20}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 40 minutes >> > VTI{20}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{21}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd13d44b_i >> eba4a1eb_o >> > VTI{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 41 minutes >> > VTI{21}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{22}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd6048b0_i >> e28c1ba5_o >> > VTI{22}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 41 minutes >> > VTI{22}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > VTI{23}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cae775b9_i >> 50852308_o >> > VTI{23}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 45 minutes >> > VTI{23}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 >> <http://10.21.0.1/32> >> > -- >> > Isaac Sutherland >> > Software Designer >> > TMV Control Systems Inc. >> > 519-624-8219 x103 <(519)%20624-8219> >> >> -- > Isaac Sutherland > Software Designer > TMV Control Systems Inc. > 519-624-8219 x103 <(519)%20624-8219> > -- Isaac Sutherland Software Designer TMV Control Systems Inc. 519-624-8219 x103
