> unless, you use an additional tunneling protocol like GRE. So for > transport mode you will have to use %dynamic (optional with > protocol/port) as traffic selector.
Thanks Tobias. After spending the last couple of solid days on this, I’m a little closer to a solution. Reading parts of the IKE2 RFC has helped, but not enough. I am working to create a VTI PtP. The updown script I am using is in [1]. At one point, it was getting called on both sides, now it’s getting called on the initiator after the `CHILD_SA established`, but it does not happen on the responder at the same point. One of the problems I have is because the TS negotiation is not using the 10.9.255.252/30 network for both sides, so a ping from initiator to responder’s policy address does not get accepted by the `policy match dir in pol ipsec` netfilter rule because no single address can both send the packet and have the response returned. Are you able to see what I am missing here? At the end, I would like to have a `vti` device on both nodes where as much as possible, the vti tunnel was completely configured with Virtual IP from the responder. Brian [1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Connection-specific-VTI-Devices Common config > config setup > charondebug="ike 4, knl 2, cfg 4, mgr 2" > > conn %default > keyingtries=3 > authby=secret > type=transport > > ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072 > > esp=aes192gcm16-aes128gcm16-ecp256-modp3072,aes192-sha256-ecp256-modp3072 Initiator config > conn net-net > mark=%unique > left=%defaultroute > leftfirewall=no > leftsubnet=0.0.0.0/0 > leftupdown=/etc/strongswan.d/ipsec-vti.sh > leftsourceip=%config4 > right=res.pon.der.ip > [email protected] > rightsubnet=%dynamic > auto=add Responder config > conn net-net > mark=%unique > left=res.pon.der.ip > leftupdown=/etc/strongswan/ipsec-vti.sh > [email protected] > leftfirewall=no > leftsourceip=10.9.255.1 > leftsubnet=0.0.0.0/0 > right=%any > rightsourceip=10.9.255.0/24 > auto=add Initiator xfrm > root@initiator:~# ip x p > src 10.9.255.1/32 dst res.pon.der.ip/32 > dir out priority 367231 > mark 0x1/0xffffffff > tmpl src ini.tia.tor.ip dst res.pon.der.ip > proto esp spi 0xc97a3d09 reqid 1 mode tunnel > src res.pon.der.ip/32 dst 10.9.255.1/32 > dir fwd priority 367231 > mark 0x1/0xffffffff > tmpl src res.pon.der.ip dst ini.tia.tor.ip > proto esp reqid 1 mode tunnel > src res.pon.der.ip/32 dst 10.9.255.1/32 > dir in priority 367231 > mark 0x1/0xffffffff > tmpl src res.pon.der.ip dst ini.tia.tor.ip > proto esp reqid 1 mode tunnel > src 0.0.0.0/0 dst 0.0.0.0/0 > socket in priority 0 > src 0.0.0.0/0 dst 0.0.0.0/0 > socket out priority 0 > src 0.0.0.0/0 dst 0.0.0.0/0 > socket in priority 0 > src 0.0.0.0/0 dst 0.0.0.0/0 > socket out priority 0 > src ::/0 dst ::/0 > socket in priority 0 > src ::/0 dst ::/0 > socket out priority 0 > src ::/0 dst ::/0 > socket in priority 0 > src ::/0 dst ::/0 > socket out priority 0 > root@initiator:~# ip x s > src ini.tia.tor.ip dst res.pon.der.ip > proto esp spi 0xc97a3d09 reqid 1 mode tunnel > replay-window 0 flag af-unspec > mark 0x1/0xffffffff > aead rfc4106(gcm(aes)) xxxx 128 > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 > src res.pon.der.ip dst ini.tia.tor.ip > proto esp spi 0xc2f50f38 reqid 1 mode tunnel > replay-window 32 flag af-unspec > aead rfc4106(gcm(aes)) yyyy 128 > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 > root@initiator:~# ip t l > vti1: ip/ip remote 173.248.143.113 local 71.33.222.96 ttl inherit key 1 > ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0 > root@initiator:~# ip a sh vti1 > 24: vti1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state > UNKNOWN group default qlen 1000 > link/ipip ini.tia.tor.ip peer res.pon.der.ip > inet 10.9.255.1/32 scope global vti1 > valid_lft forever preferred_lft forever > inet6 fe80::200:5efe:4721:de60/64 scope link > valid_lft forever preferred_lft forever Responder xfrm > [root@responder ~]# ip x p > src res.pon.der.ip/32 dst 10.9.255.1/32 > dir out priority 367231 ptype main > mark 0x1/0xffffffff > tmpl src res.pon.der.ip dst ini.tia.tor.ip > proto esp spi 0xc2f50f38 reqid 1 mode tunnel > src 10.9.255.1/32 dst res.pon.der.ip/32 > dir fwd priority 367231 ptype main > mark 0x1/0xffffffff > tmpl src ini.tia.tor.ip dst res.pon.der.ip > proto esp reqid 1 mode tunnel > src 10.9.255.1/32 dst res.pon.der.ip/32 > dir in priority 367231 ptype main > mark 0x1/0xffffffff > tmpl src ini.tia.tor.ip dst res.pon.der.ip > proto esp reqid 1 mode tunnel > src 0.0.0.0/0 dst 0.0.0.0/0 > socket in priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > socket out priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > socket in priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > socket out priority 0 ptype main > src ::/0 dst ::/0 > socket in priority 0 ptype main > src ::/0 dst ::/0 > socket out priority 0 ptype main > src ::/0 dst ::/0 > socket in priority 0 ptype main > src ::/0 dst ::/0 > socket out priority 0 ptype main > [root@responder ~]# ip x s > src res.pon.der.ip dst ini.tia.tor.ip > proto esp spi 0xc2f50f38 reqid 1 mode tunnel > replay-window 0 flag af-unspec > mark 0x1/0xffffffff > aead rfc4106(gcm(aes)) yyyy 128 > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 > src ini.tia.tor.ip dst res.pon.der.ip > proto esp spi 0xc97a3d09 reqid 1 mode tunnel > replay-window 32 flag af-unspec > aead rfc4106(gcm(aes)) xxxx 128 > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 > [[NO TUNNEL CREATED]] Initiator log > ... > 11[IKE] IKE_SA net-net[1] state change: CONNECTING => ESTABLISHED > 11[IKE] scheduling reauthentication in 10166s > 11[IKE] maximum IKE_SA lifetime 10706s > 11[IKE] processing INTERNAL_IP4_ADDRESS attribute > 11[KNL] ini.tia.tor.ip is on interface pppoe-wan > 11[IKE] installing new virtual IP 10.9.255.1 > 11[KNL] virtual IP 10.9.255.1 installed on pppoe-wan > 11[CFG] selecting proposal: > 11[CFG] proposal matches > 11[CFG] received proposals: ESP:AES_GCM_16_192/NO_EXT_SEQ > 11[CFG] configured proposals: > ESP:AES_GCM_16_192/AES_GCM_16_128/ECP_256/MODP_3072/NO_EXT_SEQ, > ESP:AES_CBC_192/HMAC_SHA2_256_128/ECP_256/MODP_3072/NO_EXT_SEQ, > ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128 > AC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ > 11[CFG] selected proposal: ESP:AES_GCM_16_192/NO_EXT_SEQ > 11[CFG] selecting traffic selectors for us: > 11[CFG] config: 0.0.0.0/0, received: 10.9.255.1/32 => match: 10.9.255.1/32 > 11[CFG] selecting traffic selectors for other: > 11[CFG] config: res.pon.der.ip/32, received: res.pon.der.ip/32 => match: > res.pon.der.ip/32 > 11[KNL] adding SAD entry with SPI c2f50f38 and reqid {1} > 11[KNL] using encryption algorithm AES_GCM_16 with key size 224 > 11[KNL] using replay window of 32 packets > 11[KNL] HW offload: no > 11[KNL] adding SAD entry with SPI c97a3d09 and reqid {1} (mark 1/0xffffffff) > 11[KNL] using encryption algorithm AES_GCM_16 with key size 224 > 11[KNL] using replay window of 0 packets > 11[KNL] HW offload: no > 11[KNL] adding policy res.pon.der.ip/32 === 10.9.255.1/32 in (mark > 1/0xffffffff) [priority 367231, refcount 1] > 11[KNL] adding policy res.pon.der.ip/32 === 10.9.255.1/32 fwd (mark > 1/0xffffffff) [priority 367231, refcount 1] > 11[KNL] adding policy 10.9.255.1/32 === res.pon.der.ip/32 out (mark > 1/0xffffffff) [priority 367231, refcount 1] > 11[KNL] getting a local address in traffic selector 10.9.255.1/32 > 11[KNL] using host 10.9.255.1 > 11[KNL] getting iface name for index 21 > 11[KNL] using 207.225.112.2 as nexthop and pppoe-wan as dev to reach > res.pon.der.ip/32 > 11[KNL] installing route: res.pon.der.ip/32 via 207.225.112.2 src 10.9.255.1 > dev pppoe-wan > 11[KNL] getting iface index for pppoe-wan > 11[IKE] CHILD_SA net-net{1} established with SPIs c2f50f38_i c97a3d09_o and > TS 10.9.255.1/32 === res.pon.der.ip/32 > : 11[IKE] CHILD_SA net-net{1} established with SPIs c2f50f38_i c97a3d09_o and > TS 10.9.255.1/32 === res.pon.der.ip/32 > 11[KNL] ini.tia.tor.ip is on interface pppoe-wan > 03[KNL] interface vti1 activated > 08[KNL] fe80::200:5efe:4721:de60 appeared on vti1 > 12[KNL] 10.9.255.1 appeared on vti1 > 11[CHD] updown: net.ipv4.conf.vti1.disable_policy = 1 > 11[IKE] received AUTH_LIFETIME of 10009s, scheduling reauthentication in 9469s > 11[IKE] peer supports MOBIKE > 11[IKE] got additional MOBIKE peer address: 10.10.0.41 > 11[IKE] got additional MOBIKE peer address: 172.17.0.1 > 11[IKE] got additional MOBIKE peer address: fc00::10ca:1 > 11[IKE] activating new tasks > 11[IKE] nothing to initiate > 11[MGR] checkin IKE_SA net-net[1] > 11[MGR] checkin of IKE_SA successful > 07[KNL] getting iface index for pppoe-wan > 04[KNL] creating roam job due to address/link change > 04[MGR] checkout IKEv2 SA with SPIs 23d8ee02a0a4b711_i 8b31ca6022e3616c_r > 04[MGR] IKE_SA net-net[1] successfully checked out > 04[KNL] using ini.tia.tor.ip as address to reach res.pon.der.ip/32 > 04[IKE] keeping connection path ini.tia.tor.ip - res.pon.der.ip > 04[IKE] sending address list update using MOBIKE > 04[IKE] queueing IKE_MOBIKE task > 04[IKE] activating new tasks > 04[IKE] activating IKE_MOBIKE task > 04[KNL] using ini.tia.tor.ip as address to reach res.pon.der.ip/32 > 04[ENC] generating INFORMATIONAL request 2 [ N(ADD_4_ADDR) N(ADD_4_ADDR) > N(ADD_4_ADDR) ] > 04[KNL] using ini.tia.tor.ip as address to reach res.pon.der.ip/32 > 04[NET] sending packet: from ini.tia.tor.ip[4500] to res.pon.der.ip[4500] (93 > bytes) > 04[MGR] checkin IKE_SA net-net[1] > 04[MGR] checkin of IKE_SA successful > 05[MGR] checkout IKEv2 SA by message with SPIs 23d8ee02a0a4b711_i > 8b31ca6022e3616c_r > 05[MGR] IKE_SA net-net[1] successfully checked out > 05[NET] received packet: from res.pon.der.ip[4500] to ini.tia.tor.ip[4500] > (57 bytes) > 05[ENC] parsed INFORMATIONAL response 2 [ ] > 05[IKE] activating new tasks > 05[IKE] nothing to initiate > 05[MGR] checkin IKE_SA net-net[1] > 05[MGR] checkin of IKE_SA successful > 06[MGR] checkout IKEv2 SA with SPIs 23d8ee02a0a4b711_i 0000000000000000_r > 06[MGR] IKE_SA net-net[1] successfully checked out > 06[MGR] checkin IKE_SA net-net[1] > 06[MGR] checkin of IKE_SA successful > 08[MGR] checkout IKEv2 SA with SPIs 23d8ee02a0a4b711_i 8b31ca6022e3616c_r > 08[MGR] IKE_SA net-net[1] successfully checked out > 08[MGR] checkin IKE_SA net-net[1] > 08[MGR] checkin of IKE_SA successful > 09[MGR] checkout IKEv2 SA with SPIs 23d8ee02a0a4b711_i 8b31ca6022e3616c_r > 09[MGR] IKE_SA net-net[1] successfully checked out > 09[MGR] checkin IKE_SA net-net[1] > 09[MGR] checkin of IKE_SA successful Responder log > ... > 06[IKE] IKE_SA net-net[1] state change: CONNECTING => ESTABLISHED > 06[IKE] scheduling reauthentication in 10009s > 06[IKE] maximum IKE_SA lifetime 10549s > 06[IKE] peer requested virtual IP %any > 06[CFG] assigning new lease to 'ini.tia.tor.ip' > 06[IKE] assigning virtual IP 10.9.255.1 to peer 'ini.tia.tor.ip' > 06[CFG] looking for a child config for res.pon.der.ip/32 === 0.0.0.0/0 > 06[CFG] proposing traffic selectors for us: > 06[CFG] res.pon.der.ip/32 > 06[CFG] proposing traffic selectors for other: > 06[CFG] 10.9.255.1/32 > 06[CFG] candidate "net-net" with prio 5+1 > 06[CFG] found matching child config "net-net" with prio 6 > 06[CFG] selecting proposal: > 06[CFG] proposal matches > 06[CFG] received proposals: ESP:AES_GCM_16_192/AES_GCM_16_128/NO_EXT_SEQ, > ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, > ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_2 > 06[CFG] configured proposals: > ESP:AES_GCM_16_192/AES_GCM_16_128/ECP_256/MODP_3072/NO_EXT_SEQ, > ESP:AES_CBC_192/HMAC_SHA2_256_128/ECP_256/MODP_3072/NO_EXT_SEQ, > ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256 > XCBC_96/NO_EXT_SEQ > 06[CFG] selected proposal: ESP:AES_GCM_16_192/NO_EXT_SEQ > 06[KNL] got SPI c97a3d09 > 06[CFG] selecting traffic selectors for us: > 06[CFG] config: 0.0.0.0/0, received: res.pon.der.ip/32 => match: > res.pon.der.ip/32 > 06[CFG] selecting traffic selectors for other: > 06[CFG] config: 10.9.255.1/32, received: 0.0.0.0/0 => match: 10.9.255.1/32 > 06[IKE] not using transport mode, not host-to-host > 06[KNL] adding SAD entry with SPI c97a3d09 and reqid {1} > 06[KNL] using encryption algorithm AES_GCM_16 with key size 224 > 06[KNL] using replay window of 32 packets > 06[KNL] HW offload: no > 06[KNL] adding SAD entry with SPI c2f50f38 and reqid {1} (mark 1/0xffffffff) > 06[KNL] using encryption algorithm AES_GCM_16 with key size 224 > 06[KNL] using replay window of 0 packets > 06[KNL] HW offload: no > 06[KNL] adding policy 10.9.255.1/32 === res.pon.der.ip/32 in (mark > 1/0xffffffff) [priority 367231, refcount 1] > 06[KNL] adding policy 10.9.255.1/32 === res.pon.der.ip/32 fwd (mark > 1/0xffffffff) [priority 367231, refcount 1] > 06[KNL] adding policy res.pon.der.ip/32 === 10.9.255.1/32 out (mark > 1/0xffffffff) [priority 367231, refcount 1] > 06[KNL] getting a local address in traffic selector res.pon.der.ip/32 > 06[KNL] using host res.pon.der.ip > 06[KNL] getting iface name for index 2 > 06[KNL] using gat.e.way.ip as nexthop and eno1 as dev to reach > ini.tia.tor.ip/32 > 06[KNL] installing route: 10.9.255.1/32 via gat.e.way.ip src res.pon.der.ip > dev eno1 > 06[KNL] getting iface index for eno1 > 06[IKE] CHILD_SA net-net{1} established with SPIs c97a3d09_i c2f50f38_o and > TS res.pon.der.ip/32 === 10.9.255.1/32 > 06[IKE] CHILD_SA net-net{1} established with SPIs c97a3d09_i c2f50f38_o and > TS res.pon.der.ip/32 === 10.9.255.1/32 > 06[KNL] res.pon.der.ip is on interface eno1 > 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr > N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] > 06[NET] sending packet: from res.pon.der.ip[4500] to ini.tia.tor.ip[4500] > (297 bytes) > 06[MGR] checkin IKE_SA net-net[1] > 06[MGR] checkin of IKE_SA successful > 08[MGR] checkout IKEv2 SA by message with SPIs 23d8ee02a0a4b711_i > 8b31ca6022e3616c_r > 08[MGR] IKE_SA net-net[1] successfully checked out > 08[NET] received packet: from ini.tia.tor.ip[4500] to res.pon.der.ip[4500] > (93 bytes) > 08[ENC] parsed INFORMATIONAL request 2 [ N(ADD_4_ADDR) N(ADD_4_ADDR) > N(ADD_4_ADDR) ] > 08[IKE] got additional MOBIKE peer address: 192.168.10.1 > 08[IKE] got additional MOBIKE peer address: 10.10.4.1 > 08[IKE] got additional MOBIKE peer address: 10.9.255.1 > 08[ENC] generating INFORMATIONAL response 2 [ ] > 08[NET] sending packet: from res.pon.der.ip[4500] to ini.tia.tor.ip[4500] (57 > bytes) > 08[MGR] checkin IKE_SA net-net[1] > 08[MGR] checkin of IKE_SA successful
