Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
IPsec VTI tunnel
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Dorian
n00b
n00b


Joined: 04 Mar 2004
Posts: 7

PostPosted: Mon Feb 18, 2013 11:02 pm    Post subject: IPsec VTI tunnel Reply with quote

Hi all,
I have a problem with setting IPSec tunnel between Gentoo host and Cisco device.
I always used ipsec-tools (racoon daemon) for this purpose. The configuration was pretty simple and worked fine with Cisco devices.

Unfortunately for some devices Cisco 'improved' they protocol to VTI IPsec (aka IPSec with Virtual Tunnel Interface).

And currently I am stuck.
I need to connect to the new Cisco device with VTI IPSec but I do no know what way to configure VTI IPsec on Gentoo.

I've found here information that for kernels 3.6 VTI is supported.
I prepared new machine with the most recent Gentoo (kernel v 3.6.11) and ... don't know what next.

Is anybody who can help me? Which tools should I use?
Maybe some config samples ?
Back to top
View user's profile Send private message
Veovis
n00b
n00b


Joined: 15 Aug 2007
Posts: 8

PostPosted: Tue Mar 05, 2013 5:49 pm    Post subject: Reply with quote

Hi,

you need a very recent version of iproute2 which will allow you to mount vti tunnels.
See here for an exemple of use (I didnt' test myself): http://www.spinics.net/lists/netdev/msg200673.html

iproute 3.3 is too old, but the latest stable version in my portage.
You may try to keyword the package and test an more recent version.
Back to top
View user's profile Send private message
Dorian
n00b
n00b


Joined: 04 Mar 2004
Posts: 7

PostPosted: Tue Mar 05, 2013 8:13 pm    Post subject: Reply with quote

Thanks a lot for reply.

I have iproute2-3.3.0 installed. Looks like the 'mode vti' is supported with the ip command.
I have the vti kernel module compiled also.

I've read a lot web content posted mainly by Saurabh Mohan. He seems to be an author of the iproute2 patch and vti kernel module as well.
The doubt I found is the ' ikey' option shown in many examples which is very poorly documented.

From this post it looks like 'ikey' is in a relation with 'xmark 0xf/0xffffffff' but I do not understand why (according to the mentioned post) I "need the iptables rule for ingress esp and udp-4500 packets".
Is it really required? What for? Maybe it is required for strongswan only? (I am using raccoon).
Or maybe it is required only if two ipsec-vti tunnels between same hosts are created? (On the other hand what could be the aim to have two ipsec tunnels between same hosts?)

I assume that ipsec-vti works in the same way as GRE inside the ipsec so no iptables marking is required at all. Am I right? If not - why?


And finally:
I've learned ip command at the time the Rusty's LARTC documentation has been created so my information are really outdated.
Where could I get detailed description of iproute2 parameters?
I cannot find the 'modern-day' source of information concerning ip command.
The ip .... help output is very poor. It is quite enough as a syntax remainder but not as a description of the option's meaning.
Any advice?
Back to top
View user's profile Send private message
Veovis
n00b
n00b


Joined: 15 Aug 2007
Posts: 8

PostPosted: Tue Mar 12, 2013 1:56 pm    Post subject: Reply with quote

Hi Dorian,

With iproute2-3.3.0 I get an error when I try to use mode vti tunnel like this (ip tunnel add test mode vti)
With iproute2-3.7.0, the same command output nothing.
In both case, man pages are not updated... and I'm stuck

If your reference is right, so it seems vti mode is an hacky thing to show a tunnel for marked packets.
I dont' understand either the need for the PREROUTING rule, but I noticed that 15 = 0xf, and the ipsec conf mention two lines mark_in and mark_out which may be the ikey needed for the tunnel to work.
Back to top
View user's profile Send private message
Veovis
n00b
n00b


Joined: 15 Aug 2007
Posts: 8

PostPosted: Tue Mar 12, 2013 1:58 pm    Post subject: Reply with quote

http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

mark = <value>[/<mask>]

sets an XFRM mark in the inbound and outbound IPsec SAs and policies. If the mask is missing then
a default mask of 0xffffffff is assumed.
Back to top
View user's profile Send private message
OPelerin
Guru
Guru


Joined: 17 Jul 2004
Posts: 337
Location: Belgium

PostPosted: Thu Dec 18, 2014 9:56 am    Post subject: Reply with quote

Did you ever fixed this one? I'm trying with strongswan. I've encryption and decryption and I do see the traffic on my vti0 [ tcpdump]. When I strace a process I get

sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("10.0.0.2")}, msg_iov(1)=[{"\10\0V\rZ\17\0\1W\232\222T\0\0\0\0\236 \1\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_IP, cmsg_type=, ...}, msg_flags=0}, 0) = 64
recvmsg(3, 0x7fff569f1870, 0) = -1 EAGAIN (Resource temporarily unavailable)
_________________
Olivier PELERIN
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 422

PostPosted: Tue Jan 13, 2015 6:28 am    Post subject: Reply with quote

It works for me. I don;t have a Cisco router, so I had to use a Linux server. The current version (as of this posting, 3.8.0) of iproute2 does not work properly, but the unstable version., (As of this posting, 3.17.0) works just fine Let our endpoint be 192.168.122.70 (the server) and 192.168.122.1 (the client):

Client side:
Code:

conn vti-client
        type=tunnel
        left=192.168.122.1
        leftsubnet=10.48.58.0/30
        leftauth=secret
        right=192.168.122.70
        rightsubnet=10.48.58.0/24
        rightauth=secret
        auto=add
        mark=15


Code:

ip tunnel add vti1 mode vti remote 192.168.122.70 local 192.168.122.1 key 15
ip addr add 10.48.58.1/30 dev vti1


Server side:
Code:

conn vti-server
        type=tunnel
        left=192.168.122.70
        leftsubnet=10.48.58.0/30
        leftauth=secret
        right=192.168.122.1
        rightsubnet=10.48.58.0/30
        rightauth=secret
        auto=add
        mark=15


Code:

ip tunnel add vti1 mode vti remote 192.168.122.1 local 192.168.122.70 key 15
ip addr add 10.48.58.2/30 dev vti1


And it works - can ping, ssh can cross the vti1 link.


Last edited by salahx on Wed Jan 14, 2015 4:33 am; edited 1 time in total
Back to top
View user's profile Send private message
OPelerin
Guru
Guru


Joined: 17 Jul 2004
Posts: 337
Location: Belgium

PostPosted: Tue Jan 13, 2015 7:26 am    Post subject: Reply with quote

Yeah at the end it has been working for me too. I had to disable the route lookup in the route table 220 to make it fully working and disabling RPF checks for the vti interface
_________________
Olivier PELERIN
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum