Re: Figuring out how vti works

[Steffen Klassert <steffen.klassert@secunet.com>]

On Mon, Sep 15, 2014 at 09:20:43AM -0500, Joe M wrote:
> Hello Steffen Klassert,
> 
> Very sorry for this bother.
> 
> I could not figure out how vti works with ipsec and your patch was the
> latest to ip_vti.c. If you cannot help, please excuse me.
> 
> I cannot get the vpn traffic to get on the vti tunnel. tcpdump on vti
> does not show anything. I think the tunnel lookup code, for some
> reason, is not able to use the "vtil" tunnel.

Do you know where the packets are getting dropped?
netstat -i or /proc/net/xfrm_stat could give a hint.

> 
> The pings worked fine if I remove the ip_vti and ip_tunnel modules,
> the "mark=1" from /etc/ipsec.conf and the iptables mangle rules to
> set-mark.

You don't need to set the mark with iptables.
You just have to ensure that the policy and state marks
match the tunnel keys. I.e. direction in and forward must
match the ikey, direction out must match the okey.

> 
> sudo ip tunnel list
> vtil: ip/ip  remote 192.168.1.232  local 192.168.0.11  ttl inherit ikey 0  okey 1

Your ikey does not match the policy and the state mark.

> 
> sudo ip xfrm policy
> src 192.168.1.0/24 dst 192.168.0.0/24
>         dir fwd priority 2883
>         mark 1/0xffffffff
>         tmpl src <bnglr public ip> dst 192.168.0.11
>                 proto esp reqid 2 mode tunnel
> src 192.168.1.0/24 dst 192.168.0.0/24
>         dir in priority 2883
>         mark 1/0xffffffff

If you set mark 1 here, the tunnel should set ikey 1.

> 
> I tried setting the mangle rules to set-mark but that did not help. I
> could not find any more documentation.
> 

Please try without setting a mark with netfilter.