Hello,

My setup is as follows:

(10.1.48.0/23) R1<-(vlan)->R2<-(ipsec)->R3 (10.46.0.0/16)

Traffic from R1 that is destined for something behind R3 is correctly
forwarded by R2 through the ipsec vti tunnel but the return traffic is not
forwarded by R2 to R3 but instead it is forwarded back to R3. This
effectively causes lots of bouncing of traffic between R2 and R3.

I am using a vti interface with marks to enable route based ipsec as I am
running BGP on all routers. It feels like R2 still uses the policies to
route traffic in and out of the vti tunnel as whenI change the rightsubnet
to 10.46.0.0/16 it all works.

ipsec.conf:
config setup

conn %default
  aggressive = no
  closeaction = restart
  compress = no
  dpdaction = restart
  dpddelay = 10s
  dpdtimeout = 30s
  esp = aes128-sha256-modp2048s256,aes128-sha1-modp1024!
  ike = aes256-sha256-modp2048s256,aes128-sha1-modp1024!
  ikelifetime = 28800s
  installpolicy = yes
  lifetime = 3600s
  mobike = no
  reauth = no
  rekey = yes
  leftauth = psk
  rightauth = psk
  leftsubnet = 0.0.0.0/0
  rightsubnet = 0.0.0.0/0
  leftupdown = /etc/strongswan.d/ipsec-vti.sh

conn prod
  auto = start
  type = tunnel
  mark = 991
  left = 149.1.1.1
  right = 51.1.1.1
  keyexchange = ikev2


charon.conf:
charon {
  install_routes = no
}

Other useful info:
# iptables -nL -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
MARK       esp  --  51.1.1.1        149.1.1.1         MARK set 0x3df

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp
flags:0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

# ifconfig vti1
vti1     Link encap:IPIP Tunnel  HWaddr
          inet addr:172.29.253.80  P-t-P:10.46.0.254  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1350  Metric:1
          RX packets:5210 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5201 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:402059 (402.0 KB)  TX bytes:405173 (405.1 KB)


# cat /etc/strongswan.d/ipsec-vti.sh
#!/bin/bash
IP=$(which ip)
IPTABLES=$(which iptables)
SYSCTL=$(which sysctl)

case "$PLUTO_CONNECTION" in
  prod)
    VTI_INTERFACE=vti1
    VTI_LOCALADDR=172.29.253.80
    VTI_REMOTEADDR=10.46.0.254
    MARK_IN=$(echo $PLUTO_MARK_IN | grep -o -E "^[0-9]+")
    MARK_OUT=$(echo $PLUTO_MARK_OUT | grep -o -E "^[0-9]+")
    ;;
esac

case "${PLUTO_VERB}" in
    up-client)
        echo "uping interface ${VTI_INTERFACE}"
        $IP link add ${VTI_INTERFACE} type vti local ${PLUTO_ME} remote
${PLUTO_PEER} ikey ${MARK_IN} okey ${MARK_OUT}
        $SYSCTL -w net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1
        $SYSCTL -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2 || $SYSCTL -w
net.ipv4.conf.${VTI_INTERFACE}.rp_filter=0
        $IP addr add ${VTI_LOCALADDR} remote ${VTI_REMOTEADDR} dev
${VTI_INTERFACE}
        $IP link set ${VTI_INTERFACE} up mtu 1350
        $IPTABLES -t mangle -I FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
        $IPTABLES -t mangle -I INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME}
-j MARK --set-xmark ${MARK_IN}
        $IP route flush table 220
        ;;
    down-client)
        echo "downing interface ${VTI_INTERFACE}"
        $IP link del ${VTI_INTERFACE}
        $IPTABLES -t mangle -D FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
        $IPTABLES -t mangle -D INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME}
-j MARK --set-xmark ${MARK_IN}
        ;;
esac
# Enable IPv4 forwarding
$SYSCTL -w net.ipv4.ip_forward=1
$SYSCTL -w net.ipv4.conf.ens5.disable_xfrm=1
$SYSCTL -w net.ipv4.conf.ens5.disable_policy=1

Reply via email to