Hi,
not too elegant, but working solution is to create different configs per
connection (with dedicated if_id_in/out) and dynamically create xfrm
interface (using updown and PLUTO_IF_ID*). In this way it's possible to
set remote_ts = 0.0.0.0/0 and be happy with routing protocols. But there
is another issue (please, see my next message to the list) and if
anybody can suggest more elegant way to the topic - I will appreciate.
Thank you.
On 17.09.2020 18:50, Volodymyr Litovka wrote:
Hi colleagues,
I'm using XFRM on SSwan side in shared mode for multiple clients
(using same if_id):
3: xfrm0@lo: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group
default qlen 1000
link/none
inet 192.168.167.1/24 brd 192.168.167.255 scope global xfrm0
valid_lft forever preferred_lft forever
like this:
xfrm (if_id=9, x.x.x.1/24)
------------------------------------------
| | |
client1 client2 ... clientN
(x.x.x.2/24) (x.x.x.3/24) ... (x.x.x.N/24)
having, e.g. the following SA:
ikev2-eap: #41, ESTABLISHED, IKEv2, 36739cd0b0eab71f_i 57d9f123408cdea5_r*
local 'local_id' @ local_ip[4500]
remote 'remote_id' @ remote_ip[4500] EAP: 'remote_eap_id' [192.168.167.2]
AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
established 1547s ago, rekeying in 8357s
eap-child: #37, reqid 31, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
[ ... ]
*local 0.0.0.0/0*
*remote 192.168.167.2/32*
according to the configuration:
connections {
ikev2-eap {
pools = radius
remote {
auth = eap-radius
id = %any
eap_id = %any
}
children {
eap-child {
local_ts = 0.0.0.0/0
remote_ts = dynamic
mode = tunnel
}
}
}
}
wiki's RouteBasedVPN says the following: "After creating the device it
has to be enabled and then routes may be installed (routing protocols
may also be used)." and I tried to implement dynamic routing to route
between remote LANs, receiving additional subnets over BGP between
peers (e.g. x.x.x.1 <-> x.x.x.2):
server# ip route
[ ... ]
*5.6.7.0/24* nhid 20 via 192.168.167.2 dev xfrm0*proto bgp* metric 20
but, actually, I can not access remote BGP-learned LAN:
server# ping 5.6.7.1 -I 192.168.167.1
PING 5.6.7.1 (5.6.7.1) from 192.168.167.1 : 56(84) bytes of data.
From 192.168.167.1 icmp_seq=1 Destination Host Unreachable
From 192.168.167.1 icmp_seq=2 Destination Host Unreachable
^C
On the other hand, the wiki says (for VTI mode, though, while I'm
using XFRM) such issue happens due to the fact that these networks
aren't mentioned in traffic selector thus there is no matching policy
and traffic is rejected: "only traffic that matches these traffic
selectors will then actually be forwarded, other packets routed to the
VTI device will be rejected with an ICMP error message (destination
unreachable/destination host unreachable)."
So, the question - what I'm doing wrong? Are there ways to use dynamic
routing with shared XFRM device?
Note: remote peers can be behind the same NAT, so having same external
IP address.
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
