Figuring out how vti works

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joe M <joe9mail@gmail.com>
To: netdev@vger.kernel.org
Subject: Figuring out how vti works
Date: Mon, 15 Sep 2014 09:20:43 -0500	[thread overview]
Message-ID: <20140915142043.GA22070@master> (raw)

[-- Attachment #1: Type: text/plain, Size: 3531 bytes --]

Hello Steffen Klassert,

Very sorry for this bother.

I could not figure out how vti works with ipsec and your patch was the
latest to ip_vti.c. If you cannot help, please excuse me.

I cannot get the vpn traffic to get on the vti tunnel. tcpdump on vti
does not show anything. I think the tunnel lookup code, for some
reason, is not able to use the "vtil" tunnel.

The pings worked fine if I remove the ip_vti and ip_tunnel modules,
the "mark=1" from /etc/ipsec.conf and the iptables mangle rules to
set-mark.

This is with strongswan 5.2.0. Can you please help?

This is my setup on moon (master hostname)

cat /etc/ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        mobike=no

conn master-bnglr
        leftid="C=CH, O=strongSwan, CN=master"
        leftcert=masterCert.der
        left=192.168.0.11
        leftsubnet=192.168.0.0/24
        rightid="C=CH, O=strongSwan, CN=bnglr"
        right=%any
        rightsubnet=192.168.1.0/24
        auto=add
        mark=1


sudo cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

  : RSA masterKey.der


sudo ip tunnel list
vtil: ip/ip  remote 192.168.1.232  local 192.168.0.11  ttl inherit ikey 0  okey 1
ip_vti0: ip/ip  remote any  local any  ttl inherit  nopmtudisc key 0

sudo ip route list
default via 192.168.0.1 dev enp4s0  metric 202
127.0.0.0/8 dev lo  scope host
192.168.0.0/24 dev enp4s0  proto kernel  scope link  src 192.168.0.11
metric 202
192.168.1.0/24 dev vtil  scope link


sudo ip xfrm policy
src 192.168.1.0/24 dst 192.168.0.0/24
        dir fwd priority 2883
        mark 1/0xffffffff
        tmpl src <bnglr public ip> dst 192.168.0.11
                proto esp reqid 2 mode tunnel
src 192.168.1.0/24 dst 192.168.0.0/24
        dir in priority 2883
        mark 1/0xffffffff
        tmpl src <bnglr public ip> dst 192.168.0.11
                proto esp reqid 2 mode tunnel
src 192.168.0.0/24 dst 192.168.1.0/24
        dir out priority 2883
        mark 1/0xffffffff
        tmpl src 192.168.0.11 dst <bnglr public ip>
                proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0

sudo ip xfrm state
src 192.168.0.11 dst <bnglr public ip>
        proto esp spi 0xc3b23fb1 reqid 2 mode tunnel
        replay-window 32 flag af-unspec
        mark 1/0xffffffff
        auth-trunc hmac(sha1) 0x33f17d71abbc9ccdbef83ecba9e1c0711c3767a0 96
        enc cbc(aes) 0xe790b24d9e9f71aec28f8ed00013f411
        encap type espinudp sport 4500 dport 8993 addr 0.0.0.0
src <bnglr public ip> dst 192.168.0.11
        proto esp spi 0xc8bcf9b0 reqid 2 mode tunnel
        replay-window 32 flag af-unspec
        mark 1/0xffffffff
        auth-trunc hmac(sha1) 0xb780288b0cf20aa7f010552837cc03a04e29198a 96
        enc cbc(aes) 0xd0db2ec7e9bb83cbc6a9d20feb6eab49
        encap type espinudp sport 8993 dport 4500 addr 0.0.0.0


I tried setting the mangle rules to set-mark but that did not help. I
could not find any more documentation.

Thanks again and Sorry for the bother,
Joe


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

next             reply	other threads:[~2014-09-15 14:20 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-09-15 14:20 Joe M [this message]
2014-09-17  5:28 ` Figuring out how vti works Steffen Klassert
2014-09-17 23:04   ` Joe M
2014-09-18  5:08     ` Joe M
2014-09-18  9:20       ` Steffen Klassert
2014-09-18  9:06     ` Steffen Klassert
2014-09-18 15:00   ` Joe M

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140915142043.GA22070@master \
    --to=joe9mail@gmail.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.