Toerless Eckert
2018-09-26 00:33:15 UTC
Is there any known working config with StrongSwan using IPv6 link-local
addresses as the tunnel endpoints ? I have been trying to set it up without
success. My current thought is that it is actually a problem in the
linux kernel XFRM functionality or (if i am lucky) a problem in how
StrongSwan sets it up, but i would not even know where to ask if it was
(mailing list for xfrm ??)
Simple setup at end of mail. Setup works fine if i use IPv6 global-scope
addresses of the interfaces (enp0s8) as the tunnel endpoint addresses
in the "debianAB" connection and in the "vtiAB" VTI interface tunnel
config.
With link-local addresses, i first had to add route fixups (5) so that
XFRM would send out the IPv6 ESP packets onto enp0s8, without it they
would be sent to enp0s3 (IPv6 default route). Figured that easily out
with tcpdump.
When i send some packet (e.g.: ping or other) on debianA to some
address of debianB routed via vtiAB (e.g.: shown below (6) simple global IPv6),
then these packets will correctly be ESP-encrypted and sent by debianA
correctly out. On the receiver debianB, "tcpdump -i enp0s8" still shows
the received ESP packet, but "ip x m" does not show any action by XFRM.
"ip x s" looks exactly the same as when i configured the connection/VTI
with IPv6 global addresses where everything (except for the change
in addresses of course).
And of course the sequence numbers of the XFRM state don't go up
Likewise "tcpdump -i vtiAB" on the receiving side does also not show
any received packet.
debianB# show x s
src fe80::a00:27ff:fec6:1e01 dst fe80::a00:27ff:feb8:f082
proto esp spi 0xc3a31212 reqid 3 mode tunnel
replay-window 0 flag af-unspec
mark 0x5/0xffffffff
auth-trunc hmac(sha256) 0x7b84a8038a97ceece31a632fd75e5b619837fcf8e2f0b387df62d1f37a0b80ef 128
enc cbc(aes) 0x5d9c0df6e8c1eee04a566366f17f4f00
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src fe80::a00:27ff:feb8:f082 dst fe80::a00:27ff:fec6:1e01
proto esp spi 0xc1a1a6b6 reqid 3 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x5b9203691d103fb92ec1a20b395632d01063d22093006da97dcfaf84bb443cbd 128
enc cbc(aes) 0x1ec7fdc12f89d0f314a94ff28beef0d4
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
Welcoming any further ideas to further troubleshoot why the received ESP
packets vanish on the receiver. As well as any other suggestions what
to do next.
XFRM doc shows an additional "dev" parameter in the SELECTOR section,
so maybe that one needs to be set in the state for link-local address
selectors. Of course there is no documentation what that dev parameter
does (yes, i know, RTFM linux-4.18).
Thanks
Toerless
----------------------------------------------------------------------------
# (1) Topology: setup:
to host to host
^ ^
|enp0s3 |enp0s3
debianA ------------------ debianB
enp0s8 enp0s8
<--------------------->
vtiAB VTI tunnel
2002:1::1/64 2002:1::2/64
debian buster/sid, 4.18/amd64, strongswan 5.6.3-1, VMs running on
VirtualBox.
# (2) /etc/strongswan.conf
charon {
install_routes = no
}
# (3) /etc/ipsec.conf
conn debianAB
auto=add
authby=pubkey
leftsubnet=::/0
rightsubnet=::/0
mark=5/0xffffffff
left=fe80::a00:27ff:feb8:f082%enp0s8 # debianA link-local
right=fe80::a00:27ff:fec6:1e01%enp0s8 # debianB link-local
leftrsasigkey=/etc/ipsec.d/public/debianA.pem
rightrsasigkey=/etc/ipsec.d/public/debianB.pem
# (4) VTI config on debianA, not shown reversed addresses on debianB:
ip -6 tunnel add vtiAB local fe80::a00:27ff:feb8:f082 remote
fe80::a00:27ff:fec6:1e01 mode vti6 key 5
ip link set dev vtiAB up
# (5) fixup to output ll packets debianA, not shown for debianB
ip -6 route add fe80::a00:27ff:fec6:1e01/128 dev enp0s8
# (6) simple to type global IPv6 configured on vtiAB interface:
ip address add 2002:1::1 peer 2002:1::2/128 dev vtiAB
addresses as the tunnel endpoints ? I have been trying to set it up without
success. My current thought is that it is actually a problem in the
linux kernel XFRM functionality or (if i am lucky) a problem in how
StrongSwan sets it up, but i would not even know where to ask if it was
(mailing list for xfrm ??)
Simple setup at end of mail. Setup works fine if i use IPv6 global-scope
addresses of the interfaces (enp0s8) as the tunnel endpoint addresses
in the "debianAB" connection and in the "vtiAB" VTI interface tunnel
config.
With link-local addresses, i first had to add route fixups (5) so that
XFRM would send out the IPv6 ESP packets onto enp0s8, without it they
would be sent to enp0s3 (IPv6 default route). Figured that easily out
with tcpdump.
When i send some packet (e.g.: ping or other) on debianA to some
address of debianB routed via vtiAB (e.g.: shown below (6) simple global IPv6),
then these packets will correctly be ESP-encrypted and sent by debianA
correctly out. On the receiver debianB, "tcpdump -i enp0s8" still shows
the received ESP packet, but "ip x m" does not show any action by XFRM.
"ip x s" looks exactly the same as when i configured the connection/VTI
with IPv6 global addresses where everything (except for the change
in addresses of course).
And of course the sequence numbers of the XFRM state don't go up
Likewise "tcpdump -i vtiAB" on the receiving side does also not show
any received packet.
debianB# show x s
src fe80::a00:27ff:fec6:1e01 dst fe80::a00:27ff:feb8:f082
proto esp spi 0xc3a31212 reqid 3 mode tunnel
replay-window 0 flag af-unspec
mark 0x5/0xffffffff
auth-trunc hmac(sha256) 0x7b84a8038a97ceece31a632fd75e5b619837fcf8e2f0b387df62d1f37a0b80ef 128
enc cbc(aes) 0x5d9c0df6e8c1eee04a566366f17f4f00
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src fe80::a00:27ff:feb8:f082 dst fe80::a00:27ff:fec6:1e01
proto esp spi 0xc1a1a6b6 reqid 3 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x5b9203691d103fb92ec1a20b395632d01063d22093006da97dcfaf84bb443cbd 128
enc cbc(aes) 0x1ec7fdc12f89d0f314a94ff28beef0d4
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
Welcoming any further ideas to further troubleshoot why the received ESP
packets vanish on the receiver. As well as any other suggestions what
to do next.
XFRM doc shows an additional "dev" parameter in the SELECTOR section,
so maybe that one needs to be set in the state for link-local address
selectors. Of course there is no documentation what that dev parameter
does (yes, i know, RTFM linux-4.18).
Thanks
Toerless
----------------------------------------------------------------------------
# (1) Topology: setup:
to host to host
^ ^
|enp0s3 |enp0s3
debianA ------------------ debianB
enp0s8 enp0s8
<--------------------->
vtiAB VTI tunnel
2002:1::1/64 2002:1::2/64
debian buster/sid, 4.18/amd64, strongswan 5.6.3-1, VMs running on
VirtualBox.
# (2) /etc/strongswan.conf
charon {
install_routes = no
}
# (3) /etc/ipsec.conf
conn debianAB
auto=add
authby=pubkey
leftsubnet=::/0
rightsubnet=::/0
mark=5/0xffffffff
left=fe80::a00:27ff:feb8:f082%enp0s8 # debianA link-local
right=fe80::a00:27ff:fec6:1e01%enp0s8 # debianB link-local
leftrsasigkey=/etc/ipsec.d/public/debianA.pem
rightrsasigkey=/etc/ipsec.d/public/debianB.pem
# (4) VTI config on debianA, not shown reversed addresses on debianB:
ip -6 tunnel add vtiAB local fe80::a00:27ff:feb8:f082 remote
fe80::a00:27ff:fec6:1e01 mode vti6 key 5
ip link set dev vtiAB up
# (5) fixup to output ll packets debianA, not shown for debianB
ip -6 route add fe80::a00:27ff:fec6:1e01/128 dev enp0s8
# (6) simple to type global IPv6 configured on vtiAB interface:
ip address add 2002:1::1 peer 2002:1::2/128 dev vtiAB