All of lore.kernel.org
 help / color / mirror / Atom feed
* loading ip_vti breaks IPSec connection
@ 2014-09-13  3:39 Joe M
  2014-09-15 15:31 ` Christophe Gouault
  0 siblings, 1 reply; 3+ messages in thread
From: Joe M @ 2014-09-13  3:39 UTC (permalink / raw)
  To: netdev, christophe.gouault

Hello,

I am not sure what I am missing. When I load ip_vti and ip_tunnel
modules, my IPSec connection stops working.

uname -a
Linux master 3.16.2 #86 SMP PREEMPT Fri Sep 12 22:09:11 CDT 2014
x86_64 Intel(R) Pentium(R) CPU G620 @ 2.60GHz GenuineIntel GNU/Linux

- (0:c:/tmp)  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
sudo modprobe ip_vti ip_tunnel
- (0:c:/tmp)  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
ping -c 1 -I 192.168.0.11 192.168.1.232
PING 192.168.1.232 (192.168.1.232) from 192.168.0.11 : 56(84) bytes of data.

--- 192.168.1.232 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

- (0:c:/tmp)  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
sudo modprobe --force --remove ip_vti ip_tunnel
- (0:c:/tmp)  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
ping -c 1 -I 192.168.0.11 192.168.1.232
PING 192.168.1.232 (192.168.1.232) from 192.168.0.11 : 56(84) bytes of data.
64 bytes from 192.168.1.232: icmp_seq=1 ttl=64 time=273 ms

--- 192.168.1.232 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 273.347/273.347/273.347/0.000 ms
- (0:i:/tmp)  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

Please note that the module was just loaded without any tunnel
configuration. I am not sure

I am using StrongSwan for IPSec configuration and noticed the same
behaviour with libreswan too.

Please let me know if I can provide more details.

Thanks
Joe

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: loading ip_vti breaks IPSec connection
  2014-09-13  3:39 loading ip_vti breaks IPSec connection Joe M
@ 2014-09-15 15:31 ` Christophe Gouault
  2014-09-15 16:47   ` Joe M
  0 siblings, 1 reply; 3+ messages in thread
From: Christophe Gouault @ 2014-09-15 15:31 UTC (permalink / raw)
  To: Joe M; +Cc: netdev

2014-09-13 5:39 GMT+02:00 Joe M <joe9mail@gmail.com>:
> Hello,
>
> I am not sure what I am missing. When I load ip_vti and ip_tunnel
> modules, my IPSec connection stops working.
>
> uname -a
> Linux master 3.16.2 #86 SMP PREEMPT Fri Sep 12 22:09:11 CDT 2014
> x86_64 Intel(R) Pentium(R) CPU G620 @ 2.60GHz GenuineIntel GNU/Linux
>
> - (0:c:/tmp)  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
> sudo modprobe ip_vti ip_tunnel
> - (0:c:/tmp)  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
> ping -c 1 -I 192.168.0.11 192.168.1.232
> PING 192.168.1.232 (192.168.1.232) from 192.168.0.11 : 56(84) bytes of data.
>
> --- 192.168.1.232 ping statistics ---
> 1 packets transmitted, 0 received, 100% packet loss, time 0ms
>
> - (0:c:/tmp)  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
> sudo modprobe --force --remove ip_vti ip_tunnel
> - (0:c:/tmp)  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
> ping -c 1 -I 192.168.0.11 192.168.1.232
> PING 192.168.1.232 (192.168.1.232) from 192.168.0.11 : 56(84) bytes of data.
> 64 bytes from 192.168.1.232: icmp_seq=1 ttl=64 time=273 ms
>
> --- 192.168.1.232 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> rtt min/avg/max/mdev = 273.347/273.347/273.347/0.000 ms
> - (0:i:/tmp)  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
>
> Please note that the module was just loaded without any tunnel
> configuration. I am not sure
>
> I am using StrongSwan for IPSec configuration and noticed the same
> behaviour with libreswan too.

Hi Joe,

I never experienced such problem.

To be sure, I did a test in tunnel mode with strongswan 5.1.2 on an
ubuntu 14.04 + vanilla Linux 3.17.0-rc5, and could not reproduce your
problem.

> Please let me know if I can provide more details.

Are you using the unchanged kernel image of your distribution, or a
kernel you compiled?

By the way, was your IPsec tunnel already established when you
executed your first ping? the first packet that triggers an IKE
negotiation is always lost.

Regards,
Christophe

> Thanks
> Joe

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: loading ip_vti breaks IPSec connection
  2014-09-15 15:31 ` Christophe Gouault
@ 2014-09-15 16:47   ` Joe M
  0 siblings, 0 replies; 3+ messages in thread
From: Joe M @ 2014-09-15 16:47 UTC (permalink / raw)
  To: Christophe Gouault; +Cc: netdev


[-- Attachment #1.1: Type: text/plain, Size: 7092 bytes --]

Hello Christophe,

Thank you for responding.

> I never experienced such problem.

Can you please share your configuration?

Do you have "mark=" in ipsec.conf? Do you use iptables rules to set
the mark? What are your vti tunnel's ikey and okey values? How do the
vti tunnel's remote and local correspond to the values in ipsec.conf
(when the client's have different public ip's and subnets)?

I use a custom kernel (gentoo distro), and got the seed from
kernel-seeds.org. I am also attaching my kernel config (config.gz) if
you want to check it out.

uname -a
Linux master 3.16.2-dirty #89 SMP PREEMPT Sun Sep 14 14:30:59 CDT 2014
x86_64 Intel(R) Pentium(R) CPU G620 @ 2.60GHz GenuineIntel GNU/Linux

It is dirty as I have been trying to add printk's to figure out ip_vti
behaviour. I can also try tthe latest rc kernel if that is what you
are using.

> By the way, was your IPsec tunnel already established when you
> executed your first ping? the first packet that triggers an IKE
> negotiation is always lost.

Without loading ip_vti (and mark= in ipsec.conf), I can get the pings
to work through the IPSec tunnel. I think I am doing something wrong
with the vti setup. Not setting the mark, okey, ikey or iptables rules
properly.

I am also attaching the note I sent to Mr. Steffen looking for
help. It has my configuration and xfrm policy and state.

I am using strongswan 5.2.0. Below is the gentoo configuration of
strongswan, if it helps.

eix --exact strongswan
[I] net-misc/strongswan
     Available versions:  5.1.3 (~)5.2.0-r1{tbz2} {+caps +constraints
     curl debug dhcp eap farp gcrypt ldap mysql networkmanager
     +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish
     strongswan_plugins_ccm strongswan_plugins_ctr
     strongswan_plugins_gcm strongswan_plugins_ha
     strongswan_plugins_ipseckey +strongswan_plugins_led
     +strongswan_plugins_lookip strongswan_plugins_ntru
     strongswan_plugins_padlock strongswan_plugins_rdrand
     +strongswan_plugins_systime-fix strongswan_plugins_unbound
     +strongswan_plugins_unity +strongswan_plugins_vici
     strongswan_plugins_whitelist}
     Installed versions:  5.2.0-r1{tbz2}(09:08:20 AM 09/15/2014)(caps
     constraints ldap non-root openssl pam strongswan_plugins_led
     strongswan_plugins_lookip strongswan_plugins_systime-fix
     strongswan_plugins_unity strongswan_plugins_vici -curl -debug
     -dhcp -eap -farp -gcrypt -mysql -networkmanager -pkcs11 -sqlite
     -strongswan_plugins_blowfish -strongswan_plugins_ccm
     -strongswan_plugins_ctr -strongswan_plugins_gcm
     -strongswan_plugins_ha -strongswan_plugins_ipseckey
     -strongswan_plugins_ntru -strongswan_plugins_padlock
     -strongswan_plugins_rdrand -strongswan_plugins_unbound
     -strongswan_plugins_whitelist)
     Homepage:            http://www.strongswan.org/
     Description:         IPsec-based VPN solution focused on security
     and ease of use, supporting IKEv1/IKEv2 and MOBIKE

equery uses strongswan
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for net-misc/strongswan-5.2.0-r1:
 U I
 + + caps                           : Use Linux capabilities library
 to control privilege 
 + + constraints                    : Enable advanced X.509 constraint
 checking plugin. 
 - - curl                           : Add support for client-side URL
 transfer library 
 - - debug                          : Enable extra debug codepaths,
 like asserts and extra output. If you want to get meaningful
 backtraces see 
                                      http://www.gentoo.org/proj/en/qa/backtraces.xml 
 - - dhcp                           : Enable server support for
 querying virtual IP addresses for clients from a DHCP server. (IKEv2
 only) 
 - - eap                            : Enable support for the different
 EAP modules that is supported. 
 - - farp                           : Enable faking of ARP responses
 for virtual IP addresses assigned to clients. (IKEv2 only) 
 - - gcrypt                         : Enable dev-libs/libgcrypt plugin
 which provides 3DES, AES, Blowfish, Camellia, CAST, DES, Serpent and
 Twofish ciphers along with MD4, MD5 and 
                                      SHA1/2 hash algorithms, RSA and
                                      DH groups 1,2,5,14-18 and
                                      22-24(4.4+). Also includes a
                                      software random number
                                      generator. 
 + + ldap                           : Add LDAP support (Lightweight
 Directory Access Protocol) 
 - - mysql                          : Add mySQL Database support
 - - networkmanager                 : Enable net-misc/networkmanager support
 + + non-root                       : Force IKEv1/IKEv2 daemons to
 normal user privileges. This might impose some restrictions mainly to
 the IKEv1 daemon. Disable only if you really require superuser privileges.
 + + openssl                        : Enable dev-libs/openssl plugin
 which is required for Elliptic Curve Cryptography (DH groups
 19-21,25,26) and ECDSA. Also provides 3DES, AES, Blowfish, Camellia,
 CAST, DES, IDEA and RC5 ciphers along with MD2, MD4, MD5 and SHA1/2
 hash algorithms, RSA and DH groups 1,2,5,14-18 and 22-24(4.4+)
 dev-libs/openssl has to be compiled with USE="-bindist". 
 + + pam                            : Add support for PAM (Pluggable
 Authentication Modules) - DANGEROUS to arbitrarily flip 
 - - pkcs11                         : Enable pkcs11 support.
 - - sqlite                         : Add support for sqlite - embedded sql database
 - - strongswan_plugins_blowfish    : Enable support for the blowfish plugin.
 - - strongswan_plugins_ccm         : Enable support for the ccm plugin.
 - - strongswan_plugins_ctr         : Enable support for the ctr plugin.
 - - strongswan_plugins_gcm         : Enable support for the gcm plugin.
 - - strongswan_plugins_ha          : Enable support for the ha plugin.
 - - strongswan_plugins_ipseckey    : Enable support for the ipseckey plugin.
 + + strongswan_plugins_led         : Enable support for the led plugin.
 + + strongswan_plugins_lookip      : Enable support for the lookip plugin.
 - - strongswan_plugins_ntru        : Enable support for the ntru plugin.
 - - strongswan_plugins_padlock     : Enable support for the padlock plugin.
 - - strongswan_plugins_rdrand      : Enable support for the rdrand plugin.
 + + strongswan_plugins_systime-fix : Enable support for the systime-fix plugin.
 - - strongswan_plugins_unbound     : Enable support for the unbound plugin.
 + + strongswan_plugins_unity       : Enable support for the unity plugin.
 + + strongswan_plugins_vici        : Enable support for the vici plugin.
 - - strongswan_plugins_whitelist   : Enable support for the whitelist plugin.


Thanks again and Sorry for the bother,
Joe


[-- Attachment #1.2: config.gz --]
[-- Type: application/octet-stream, Size: 18895 bytes --]

[-- Attachment #1.3: note-for-vti-help.org --]
[-- Type: application/vnd.lotus-organizer, Size: 3649 bytes --]

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-09-15 16:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-13  3:39 loading ip_vti breaks IPSec connection Joe M
2014-09-15 15:31 ` Christophe Gouault
2014-09-15 16:47   ` Joe M

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.