| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Sep 2014 09:20:43 -0500
From: Joe M <joe9mail@...il.com>
To: netdev@...r.kernel.org
Subject: Figuring out how vti works
Hello Steffen Klassert,
Very sorry for this bother.
I could not figure out how vti works with ipsec and your patch was the
latest to ip_vti.c. If you cannot help, please excuse me.
I cannot get the vpn traffic to get on the vti tunnel. tcpdump on vti
does not show anything. I think the tunnel lookup code, for some
reason, is not able to use the "vtil" tunnel.
The pings worked fine if I remove the ip_vti and ip_tunnel modules,
the "mark=1" from /etc/ipsec.conf and the iptables mangle rules to
set-mark.
This is with strongswan 5.2.0. Can you please help?
This is my setup on moon (master hostname)
cat /etc/ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn master-bnglr
leftid="C=CH, O=strongSwan, CN=master"
leftcert=masterCert.der
left=192.168.0.11
leftsubnet=192.168.0.0/24
rightid="C=CH, O=strongSwan, CN=bnglr"
right=%any
rightsubnet=192.168.1.0/24
auto=add
mark=1
sudo cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA masterKey.der
sudo ip tunnel list
vtil: ip/ip remote 192.168.1.232 local 192.168.0.11 ttl inherit ikey 0 okey 1
ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0
sudo ip route list
default via 192.168.0.1 dev enp4s0 metric 202
127.0.0.0/8 dev lo scope host
192.168.0.0/24 dev enp4s0 proto kernel scope link src 192.168.0.11
metric 202
192.168.1.0/24 dev vtil scope link
sudo ip xfrm policy
src 192.168.1.0/24 dst 192.168.0.0/24
dir fwd priority 2883
mark 1/0xffffffff
tmpl src <bnglr public ip> dst 192.168.0.11
proto esp reqid 2 mode tunnel
src 192.168.1.0/24 dst 192.168.0.0/24
dir in priority 2883
mark 1/0xffffffff
tmpl src <bnglr public ip> dst 192.168.0.11
proto esp reqid 2 mode tunnel
src 192.168.0.0/24 dst 192.168.1.0/24
dir out priority 2883
mark 1/0xffffffff
tmpl src 192.168.0.11 dst <bnglr public ip>
proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
sudo ip xfrm state
src 192.168.0.11 dst <bnglr public ip>
proto esp spi 0xc3b23fb1 reqid 2 mode tunnel
replay-window 32 flag af-unspec
mark 1/0xffffffff
auth-trunc hmac(sha1) 0x33f17d71abbc9ccdbef83ecba9e1c0711c3767a0 96
enc cbc(aes) 0xe790b24d9e9f71aec28f8ed00013f411
encap type espinudp sport 4500 dport 8993 addr 0.0.0.0
src <bnglr public ip> dst 192.168.0.11
proto esp spi 0xc8bcf9b0 reqid 2 mode tunnel
replay-window 32 flag af-unspec
mark 1/0xffffffff
auth-trunc hmac(sha1) 0xb780288b0cf20aa7f010552837cc03a04e29198a 96
enc cbc(aes) 0xd0db2ec7e9bb83cbc6a9d20feb6eab49
encap type espinudp sport 8993 dport 4500 addr 0.0.0.0
I tried setting the mangle rules to set-mark but that did not help. I
could not find any more documentation.
Thanks again and Sorry for the bother,
Joe
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists