after a reboot I no longer have the road to ipsec VTI
-
HI,
after a reboot I no longer have the road to ipsec VTI, as a workaround I have to revalidate the gateway System -> Routing -> Gateways -> Edit VTI Gateway -> Save -> Apply .
netstat -rn | egrep '(ipsec2|10.8.222)' 10.8.222.1 link#12 UH ipsec200 10.8.222.2 link#12 UHS lo0 fe80::%ipsec2000/64 link#12 U ipsec200 fe80::20c:29ff:fe2c:fe96%ipsec2000 link#12 UHS lo0
- Apply workaround
netstat -rn | egrep '(ipsec2|10.8.222)' 10.8.222.1 link#12 UH ipsec200 10.8.222.2 link#12 UHS lo0 10.60.0.0/16 10.8.222.1 UGS ipsec200 fe80::%ipsec2000/64 link#12 U ipsec200 fe80::20c:29ff:fe2c:fe96%ipsec2000 link#12 UHS lo0
My config HOST1 :
<phase2> <ikeid>2</ikeid> <uniqid>5ba8fe2dee739</uniqid> <mode>vti</mode> <reqid>1</reqid> <localid> <type>network</type> <address>10.8.222.2</address> <netbits>30</netbits> </localid> <remoteid> <type>address</type> <address>10.8.222.1</address> </remoteid> <protocol>esp</protocol> <encryption-algorithm-option> <name>aes128gcm</name> <keylen>128</keylen> </encryption-algorithm-option> <hash-algorithm-option>hmac_sha256</hash-algorithm-option> <pfsgroup>14</pfsgroup> <lifetime>7200</lifetime> <pinghost></pinghost> <descr></descr> </phase2> <opt5> <descr><![CDATA[IPsecVTI]]></descr> <if>ipsec2000</if> <enable></enable> <spoofmac></spoofmac> </opt5> <staticroutes> <route> <network>10.60.0.0/16</network> <gateway>IPSECVTI_VTIV4</gateway> <descr><![CDATA[Route VTI]]></descr> </route> <gateway_item> <interface>opt5</interface> <gateway>dynamic</gateway> <name>IPSECVTI_VTIV4</name> <weight>1</weight> <ipprotocol>inet</ipprotocol> <interval>10000</interval> <alert_interval>11000</alert_interval> <descr><![CDATA[Interface IPSECVTI_VTIV4 Gateway]]></descr> conn con2000 reqid = 2000 fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = yes mobike = no rekey = yes installpolicy = no dpdaction = restart dpddelay = 10s dpdtimeout = 110s auto = start left = 172.31.255.12 right = 212.xxx.xxx.xxx leftid = t9KxdF87 ikelifetime = 28800s lifetime = 7200s ike = aes128gcm128-sha256-modp2048! esp = aes128gcm128-sha256-modp2048! leftauth = psk rightauth = psk rightid = H87gcP9n rightsubnet = 10.8.222.1 leftsubnet = 10.8.222.2/30 Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.2-RELEASE-p3, amd64): uptime: 76 minutes, since Sep 26 14:28:44 2018 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters Listening IP addresses: 172.31... .... 10.8.222.2 Connections: con2000: 172.31.255.12...212.xxx.xxx.xxx IKEv2, dpddelay=10s con2000: local: [t9KxdF87] uses pre-shared key authentication con2000: remote: [H87gcP9n] uses pre-shared key authentication con2000: child: 10.8.222.0/30|/0 === 10.8.222.1/32|/0 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): con2000[1]: ESTABLISHED 76 minutes ago, 172.31.255.12[t9KxdF87]...212.129.54.15[H87gcP9n] con2000[1]: IKEv2 SPIs: e31d60fa6eb764fa_i* 01e6388a49940b8b_r, pre-shared key reauthentication in 6 hours con2000[1]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048 con2000{1}: INSTALLED, TUNNEL, reqid 2000, ESP in UDP SPIs: c694082c_i cd9fea01_o con2000{1}: AES_GCM_16_128, 5754109 bytes_i, 2030276 bytes_o, rekeying in 30 minutes con2000{1}: 10.8.222.2/32|/0 === 10.8.222.1/32|/0
My config HOST2 :
<phase2> <ikeid>3</ikeid> <uniqid>5ba8fc6c97355</uniqid> <mode>vti</mode> <reqid>5</reqid> <localid> <type>network</type> <address>10.8.222.1</address> <netbits>30</netbits> </localid> <remoteid> <type>address</type> <address>10.8.222.2</address> </remoteid> <protocol>esp</protocol> <encryption-algorithm-option> <name>aes128gcm</name> <keylen>128</keylen> </encryption-algorithm-option> <hash-algorithm-option>hmac_sha256</hash-algorithm-option> <pfsgroup>14</pfsgroup> <lifetime>7200</lifetime> <pinghost></pinghost> <descr></descr> </phase2> conn con3000 reqid = 3000 fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = yes mobike = no rekey = yes installpolicy = no dpdaction = restart dpddelay = 10s dpdtimeout = 110s auto = start left = 212.xxx.xxx.xxx right = 90.xxx.xxx.xxx leftid = H87gcP9n ikelifetime = 28800s lifetime = 7200s ike = aes128gcm128-sha256-modp2048! esp = aes128gcm128-sha256-modp2048! leftauth = psk rightauth = psk rightid = t9KxdF87 rightsubnet = 10.8.222.2 leftsubnet = 10.8.222.1/30 Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.2-RELEASE-p3, amd64): uptime: 6 hours, since Sep 26 09:24:15 2018 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 130 loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity counters Listening IP addresses: 172.... .... 10.8.222.1 Connections: con3000: 212.xxx.xxx.xxx...90.xxx.xxx.xxx IKEv2, dpddelay=10s con3000: local: [H87gcP9n] uses pre-shared key authentication con3000: remote: [t9KxdF87] uses pre-shared key authentication con3000: child: 10.8.222.0/30|/0 === 10.8.222.2/32|/0 TUNNEL, dpdaction=restart Security Associations (4 up, 0 connecting): con3000[51]: ESTABLISHED 74 minutes ago, 212.129.54.15[H87gcP9n]...90.65.71.187[t9KxdF87] con3000[51]: IKEv2 SPIs: e31d60fa6eb764fa_i 01e6388a49940b8b_r*, pre-shared key reauthentication in 6 hours con3000[51]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048 con3000{53}: INSTALLED, TUNNEL, reqid 3000, ESP in UDP SPIs: cd9fea01_i c694082c_o con3000{53}: AES_GCM_16_128, 1163251 bytes_i, 7292564 bytes_o, rekeying in 27 minutes con3000{53}: 10.8.222.1/32|/0 === 10.8.222.2/32|/0
The logs :
Sep 26 16:17:41 jr charon: 11[NET] <con2000|1> received packet: from 212.129.54.15[4500] to 172.31.255.12[4500] (57 bytes) Sep 26 16:17:41 jr charon: 11[ENC] <con2000|1> parsed INFORMATIONAL request 7 [ ] Sep 26 16:17:41 jr charon: 11[ENC] <con2000|1> generating INFORMATIONAL response 7 [ ] Sep 26 16:17:41 jr charon: 11[NET] <con2000|1> sending packet: from 172.31.255.12[4500] to 212.129.54.15[4500] (57 bytes) Sep 26 16:17:41 jr charon: 04[NET] sending packet: from 172.31.255.12[4500] to 212.129.54.15[4500] Sep 26 16:17:41 jr charon: 11[KNL] <con2000|1> querying policy 10.8.222.1/32|/0 === 10.8.222.2/32|/0 in failed, not found Sep 26 16:17:51 jr charon: 11[KNL] <con2000|1> querying policy 10.8.222.1/32|/0 === 10.8.222.2/32|/0 in failed, not found Sep 26 16:17:51 jr charon: 11[IKE] <con2000|1> sending DPD request
Thanks for the helps
fred
-
Where do you have the route set for
10.60.0.0/16
? Is it a static route, handled by a routing protocol (OSPF or BGP) or what? -
@jimp said in after a reboot I no longer have the road to ipsec VTI:
Where do you have the route set for 10.60.0.0/16
Hi Jimp,
Yes add static route
<staticroutes> <route> <network>10.60.0.0/16</network> <gateway>IPSECVTI_VTIV4</gateway> <descr><![CDATA[Route VTI]]></descr> </route> <gateway_item> <interface>opt5</interface> <gateway>dynamic</gateway> <name>IPSECVTI_VTIV4</name> <weight>1</weight> <ipprotocol>inet</ipprotocol> <interval>10000</interval> <alert_interval>11000</alert_interval> <descr><![CDATA[Interface IPSECVTI_VTIV4 Gateway]]></descr>
-
Hmm, I just checked the setups I have here with VTI and static routes and they all apply at boot time.
Did you make manual changes to the VTI gateway? Try removing the VTI gateway settings (click the trash can) -- that will not actually delete the gateway since it is dynamic, only its custom settings. Then reboot and see if it works.
-
Jimp,
Yes problem is resolv, after deleted route static, removing the VTI gateway and reboot.
Thanks for the helps
fred