View previous topic :: View next topic |
Author |
Message |
Dorian n00b
Joined: 04 Mar 2004 Posts: 7
|
Posted: Mon Feb 18, 2013 11:02 pm Post subject: IPsec VTI tunnel |
|
|
Hi all,
I have a problem with setting IPSec tunnel between Gentoo host and Cisco device.
I always used ipsec-tools (racoon daemon) for this purpose. The configuration was pretty simple and worked fine with Cisco devices.
Unfortunately for some devices Cisco 'improved' they protocol to VTI IPsec (aka IPSec with Virtual Tunnel Interface).
And currently I am stuck.
I need to connect to the new Cisco device with VTI IPSec but I do no know what way to configure VTI IPsec on Gentoo.
I've found here information that for kernels 3.6 VTI is supported.
I prepared new machine with the most recent Gentoo (kernel v 3.6.11) and ... don't know what next.
Is anybody who can help me? Which tools should I use?
Maybe some config samples ? |
|
Back to top |
|
|
Veovis n00b
Joined: 15 Aug 2007 Posts: 8
|
Posted: Tue Mar 05, 2013 5:49 pm Post subject: |
|
|
Hi,
you need a very recent version of iproute2 which will allow you to mount vti tunnels.
See here for an exemple of use (I didnt' test myself): http://www.spinics.net/lists/netdev/msg200673.html
iproute 3.3 is too old, but the latest stable version in my portage.
You may try to keyword the package and test an more recent version. |
|
Back to top |
|
|
Dorian n00b
Joined: 04 Mar 2004 Posts: 7
|
Posted: Tue Mar 05, 2013 8:13 pm Post subject: |
|
|
Thanks a lot for reply.
I have iproute2-3.3.0 installed. Looks like the 'mode vti' is supported with the ip command.
I have the vti kernel module compiled also.
I've read a lot web content posted mainly by Saurabh Mohan. He seems to be an author of the iproute2 patch and vti kernel module as well.
The doubt I found is the ' ikey' option shown in many examples which is very poorly documented.
From this post it looks like 'ikey' is in a relation with 'xmark 0xf/0xffffffff' but I do not understand why (according to the mentioned post) I "need the iptables rule for ingress esp and udp-4500 packets".
Is it really required? What for? Maybe it is required for strongswan only? (I am using raccoon).
Or maybe it is required only if two ipsec-vti tunnels between same hosts are created? (On the other hand what could be the aim to have two ipsec tunnels between same hosts?)
I assume that ipsec-vti works in the same way as GRE inside the ipsec so no iptables marking is required at all. Am I right? If not - why?
And finally:
I've learned ip command at the time the Rusty's LARTC documentation has been created so my information are really outdated.
Where could I get detailed description of iproute2 parameters?
I cannot find the 'modern-day' source of information concerning ip command.
The ip .... help output is very poor. It is quite enough as a syntax remainder but not as a description of the option's meaning.
Any advice? |
|
Back to top |
|
|
Veovis n00b
Joined: 15 Aug 2007 Posts: 8
|
Posted: Tue Mar 12, 2013 1:56 pm Post subject: |
|
|
Hi Dorian,
With iproute2-3.3.0 I get an error when I try to use mode vti tunnel like this (ip tunnel add test mode vti)
With iproute2-3.7.0, the same command output nothing.
In both case, man pages are not updated... and I'm stuck
If your reference is right, so it seems vti mode is an hacky thing to show a tunnel for marked packets.
I dont' understand either the need for the PREROUTING rule, but I noticed that 15 = 0xf, and the ipsec conf mention two lines mark_in and mark_out which may be the ikey needed for the tunnel to work. |
|
Back to top |
|
|
Veovis n00b
Joined: 15 Aug 2007 Posts: 8
|
|
Back to top |
|
|
OPelerin Guru
Joined: 17 Jul 2004 Posts: 354 Location: Belgium
|
Posted: Thu Dec 18, 2014 9:56 am Post subject: |
|
|
Did you ever fixed this one? I'm trying with strongswan. I've encryption and decryption and I do see the traffic on my vti0 [ tcpdump]. When I strace a process I get
sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("10.0.0.2")}, msg_iov(1)=[{"\10\0V\rZ\17\0\1W\232\222T\0\0\0\0\236 \1\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_IP, cmsg_type=, ...}, msg_flags=0}, 0) = 64
recvmsg(3, 0x7fff569f1870, 0) = -1 EAGAIN (Resource temporarily unavailable) _________________ Olivier PELERIN |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 530
|
Posted: Tue Jan 13, 2015 6:28 am Post subject: |
|
|
It works for me. I don;t have a Cisco router, so I had to use a Linux server. The current version (as of this posting, 3.8.0) of iproute2 does not work properly, but the unstable version., (As of this posting, 3.17.0) works just fine Let our endpoint be 192.168.122.70 (the server) and 192.168.122.1 (the client):
Client side:
Code: |
conn vti-client
type=tunnel
left=192.168.122.1
leftsubnet=10.48.58.0/30
leftauth=secret
right=192.168.122.70
rightsubnet=10.48.58.0/24
rightauth=secret
auto=add
mark=15
|
Code: |
ip tunnel add vti1 mode vti remote 192.168.122.70 local 192.168.122.1 key 15
ip addr add 10.48.58.1/30 dev vti1
|
Server side:
Code: |
conn vti-server
type=tunnel
left=192.168.122.70
leftsubnet=10.48.58.0/30
leftauth=secret
right=192.168.122.1
rightsubnet=10.48.58.0/30
rightauth=secret
auto=add
mark=15
|
Code: |
ip tunnel add vti1 mode vti remote 192.168.122.1 local 192.168.122.70 key 15
ip addr add 10.48.58.2/30 dev vti1
|
And it works - can ping, ssh can cross the vti1 link.
Last edited by salahx on Wed Jan 14, 2015 4:33 am; edited 1 time in total |
|
Back to top |
|
|
OPelerin Guru
Joined: 17 Jul 2004 Posts: 354 Location: Belgium
|
Posted: Tue Jan 13, 2015 7:26 am Post subject: |
|
|
Yeah at the end it has been working for me too. I had to disable the route lookup in the route table 220 to make it fully working and disabling RPF checks for the vti interface _________________ Olivier PELERIN |
|
Back to top |
|
|
|