Ok. Figured this out. I am not understanding VTI interface correctly. It should be address of tunnel endpoints not address inside the tunnel.
чт, 7 апр. 2022 г. в 22:37, Alexey Smirnov <[email protected]>: > Got another question Tobias if you do not mind. > Got the same error as was in the thread: IPSec route based VPN - VTI > interface TX Errors NoRoute > So basically the tunnel is up. I use mar_in=mark_out=10 in VTI interface > (linux kernel is 3.10 so no modern interface) > The traffic looks like this: > From tunnel remote - they are coming: > net-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-192/HMAC_SHA1_96 > installed 1608s ago, rekeying in 78953s, expires in 93432s > in ca18b546 (0x0000000a), 672 bytes, 8 packets > out 482a8752 (0x0000000a), 0 bytes, 0 packets > Not sure where they go next. > From local they are NoRoute - outgoing and no incoming > ip -s tunnel show > vti0: ip/ip remote 10.255.255.25 local 10.255.255.26 ttl inherit key 10 > RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts > 0 0 0 0 0 0 > TX: Packets Bytes Errors DeadLoop NoRoute NoBufs > 0 0 33 0 33 0 > Route is simple - just the route for VTI interfaces itself > ip r > 10.255.255.24/30 dev vti0 scope link > If i ping - the counter just increase and i got Destination unreachable as > in gude i tried to follow: > https://docs.strongswan.org/strongswan-docs/5.9/features/routeBasedVpn.html > I also consult examples again here > https://www.strongswan.org/testing/testresults/route-based/net2net-vti/ > and did not find any config statment i am missing in my configuration. > > What direction should i dig for? > Thank you! > > > чт, 7 апр. 2022 г. в 16:17, Tobias Brunner <[email protected]>: > >> Hi Alexey, >> >> > 07[CFG] looking for peer configs matching >> > x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y] >> > 07[CFG] no matching peer config found >> > 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] >> > 07[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (80 bytes) >> > >> > And the question is: why no matching peer found as peers and key is in >> > place? >> >> The peer proposes the IP addresses as identities (it's what you see in >> [] in the "looking for peer configs matching ..." log message), which >> clearly don't match "key" (whatever that is exactly). So just remove >> those `id = key` lines (the default identities are the IP addresses) and >> associate the secret with y.y.y.y (i.e. set `id-1 = y.y.y.y` there). >> >> Regards, >> Tobias >> >
