Hello,
I have a working IPsec setup (IPv4 Net-Net over IPv6 Host-Host tunnel)
including a properly configured firewall.
Its been running fine for some month, but now I have a new requirement
that needs Virtual Transport Interfaces (VTI) on both sides of the tunnel.
Sadly I am really struggling with this part, having spend multiple days
already trying to figure out why its not working.
Some useful information:
* Firewall is deactivated (accepting everything)
* Mangle table is empty
* StrongSwan 5.5.3
* Linux Kernel 4.4.X
* Using the following guide:
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
The VTI name is ipsec0 and traffic is routed to the interface properly.
tcpdump shows lots of packets from 10.159.5.0/24 to 10.159.6.0/24 on
interface ipsec0.
My problem is, that the VTI seems to be a *black hole* at the moment.
Packets just disappear in the tunnel interface and the RX error counter
is rising quickly:
~ # ip -6 -s tunnel show ipsec0
ipsec0: ipv6/ipv6 remote ####:####:####:100::7 local
####:####:####:2405::7 encaplimit 0 hoplimit 0 tclass 0x00 flowlabel
0x00000 (flowinfo 0x00000000)
RX: Packets Bytes *Errors* CsumErrs OutOfSeq Mcasts
0 0 *1198* 0 0 0
TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
358 56650 0 0 0 0
So far I have no idea whats going on and I tried changing options for
days, always with the same results.
Maybe someone is running a similar setup and can provide some hints?
Is there a way to find out what exactly those errors are?
Many Thanks,
Benjamin
*Configuration:*
--------------------------------
# *strongswan.conf* - strongSwan configuration file
charon {
load_modular = yes
* install_routes = no*
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
--------------------------------
#*ipsec.conf *- strongSwan IPsec configuration file
config setup
ca heliocloud
cacert=#######.crt
auto=add
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=%forever
keyexchange=ikev2
mobike=no
compress=yes
conn net-net
also=host-host
leftsubnet=10.159.5.0/24
rightsubnet=10.159.6.0/24
auto=start
* mark=1*
conn host-host
left=####:####:####:100::7
leftcert=#######.crt
right=####:####:####:2405::7
auto=add
--------------------------------
modprobe ip6_vti
ip -6 tunnel add ipsec0 local ####:####:####:100::7 remote
####:####:####:2405::7 mode vti6 *key 1*
ip link set ipsec0 up
ip route add 10.159.6.0/24 dev ipsec0
--------------------------------
3: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1
link/tunnel6 :: brd ::
4: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default
qlen 1
link/tunnel6 :: brd ::
8: ipsec0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UNKNOWN group default qlen 1
link/tunnel6 ####:####:####:100::7 peer ####:####:####:2405::7
inet6 fe80::2201:bff:fec8:2357/64 scope link
valid_lft forever preferred_lft forever
