Adam Tauno Williams
2018-04-20 18:06:17 UTC
I am attempting to configure a VPN tunnel between a Libreswan host
(3.20-5, CentOS7) and a Cisco 881 router. I want to create a VTI
interface on the CentOS7 host corresponding to a Tunnel interface on
the Cisco router [we have some relatively complicated routing].
I have been able to peer the Cisco router and the Libreswan host in a
straight-up assocation but when I attempt to change this over the a
vrf-VTI configuration I am getting stuck.
-- from the Cisco router, which is the branch office side --
*Apr 20 17:56:20.730: ISAKMP:(0): beginning Main Mode exchange
*Apr 20 17:56:20.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500
peer_port 500 (I) MM_NO_STATE
*Apr 20 17:56:20.730: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 20 17:56:20.730: ISAKMP:(0):purging SA., sa=85431158,
delme=85431158
*Apr 20 17:56:30.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Apr 20 17:56:30.730: ISAKMP (0:0): incrementing error counter on sa,
attempt 1 of 5: retransmit phase 1
*Apr 20 17:56:30.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Apr 20 17:56:30.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500
peer_port 500 (I) MM_NO_STATE
*Apr 20 17:56:30.730: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 20 17:56:40.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Apr 20 17:56:40.730: ISAKMP (0:0): incrementing error counter on sa,
attempt 2 of 5: retransmit phase 1
*Apr 20 17:56:40.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Apr 20 17:56:40.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500
peer_port 500 (I) MM_NO_STATE
*Apr 20 17:56:40.730: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 20 17:56:50.726: IPSEC(key_engine): request timer fired: count =
1,
(identity) local= X.Y.W.X, remote= A.B.C.D,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Apr 20 17:56:50.726: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= X.Y.W.X, remote= A.B.C.D,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Apr 20 17:56:50.726: ISAKMP: set new node 0 to QM_IDLE
*Apr 20 17:56:50.726: ISAKMP:(0):SA is still budding. Attached new
ipsec request to it. (local X.Y.W.X, remote A.B.C.D)
*Apr 20 17:56:50.726: ISAKMP: Error while processing SA request: Failed
to initialize SA
-- Libreswan
conn mhhs-vti
mark=10/0xffffff
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
authby=secret
left=A.B.C.D #strongswan outside address
leftid=A.B.C.D #IKEID sent by strongswan
right=X.Y.W.Z #IOS outside address
rightid=X.Y.W.Z #IKEID sent by IOS
auto=add
vti-interface=vti01
vti-routing=no
#type=tunnel
#leftvti=172.16.4.5/24
-- Cisco Router
crypto keyring branchoffice-keyring
pre-shared-key address A.B.C.D key CiscoCiscoCiscoCiscoCisco
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp profile branchoffice-ike
keyring branchoffice-keyring
match identity address A.B.C.D 255.255.255.255 RED
isakmp authorization list default
local-address FastEthernet4
!
crypto ipsec transform-set branchoffice-set esp-aes esp-sha-hmac
!
crypto ipsec profile branchoffice-profile
set transform-set branchoffice-set
set isakmp-profile branchoffice-ike
!
interface Tunnel0
ip vrf forwarding GREEN
ip address 172.16.4.4 255.255.255.0
tunnel source FastEthernet4
tunnel destination A.B.C.D
tunnel mode ipsec ipv4
tunnel protection ipsec profile branchoffice-profile
!
interface FastEthernet4
description internet WAN link
ip address X.Y.W.Z 255.255.255.224
duplex auto
speed auto
!
interface Vlan1
description cust1 private VRF
ip vrf forwarding GREEN
ip address 192.168.42.19 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.Y.W.V
ip route vrf GREEN 0.0.0.0 0.0.0.0 172.16.4.5
(3.20-5, CentOS7) and a Cisco 881 router. I want to create a VTI
interface on the CentOS7 host corresponding to a Tunnel interface on
the Cisco router [we have some relatively complicated routing].
I have been able to peer the Cisco router and the Libreswan host in a
straight-up assocation but when I attempt to change this over the a
vrf-VTI configuration I am getting stuck.
-- from the Cisco router, which is the branch office side --
*Apr 20 17:56:20.730: ISAKMP:(0): beginning Main Mode exchange
*Apr 20 17:56:20.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500
peer_port 500 (I) MM_NO_STATE
*Apr 20 17:56:20.730: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 20 17:56:20.730: ISAKMP:(0):purging SA., sa=85431158,
delme=85431158
*Apr 20 17:56:30.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Apr 20 17:56:30.730: ISAKMP (0:0): incrementing error counter on sa,
attempt 1 of 5: retransmit phase 1
*Apr 20 17:56:30.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Apr 20 17:56:30.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500
peer_port 500 (I) MM_NO_STATE
*Apr 20 17:56:30.730: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 20 17:56:40.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Apr 20 17:56:40.730: ISAKMP (0:0): incrementing error counter on sa,
attempt 2 of 5: retransmit phase 1
*Apr 20 17:56:40.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Apr 20 17:56:40.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500
peer_port 500 (I) MM_NO_STATE
*Apr 20 17:56:40.730: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 20 17:56:50.726: IPSEC(key_engine): request timer fired: count =
1,
(identity) local= X.Y.W.X, remote= A.B.C.D,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Apr 20 17:56:50.726: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= X.Y.W.X, remote= A.B.C.D,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Apr 20 17:56:50.726: ISAKMP: set new node 0 to QM_IDLE
*Apr 20 17:56:50.726: ISAKMP:(0):SA is still budding. Attached new
ipsec request to it. (local X.Y.W.X, remote A.B.C.D)
*Apr 20 17:56:50.726: ISAKMP: Error while processing SA request: Failed
to initialize SA
-- Libreswan
conn mhhs-vti
mark=10/0xffffff
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
authby=secret
left=A.B.C.D #strongswan outside address
leftid=A.B.C.D #IKEID sent by strongswan
right=X.Y.W.Z #IOS outside address
rightid=X.Y.W.Z #IKEID sent by IOS
auto=add
vti-interface=vti01
vti-routing=no
#type=tunnel
#leftvti=172.16.4.5/24
-- Cisco Router
crypto keyring branchoffice-keyring
pre-shared-key address A.B.C.D key CiscoCiscoCiscoCiscoCisco
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp profile branchoffice-ike
keyring branchoffice-keyring
match identity address A.B.C.D 255.255.255.255 RED
isakmp authorization list default
local-address FastEthernet4
!
crypto ipsec transform-set branchoffice-set esp-aes esp-sha-hmac
!
crypto ipsec profile branchoffice-profile
set transform-set branchoffice-set
set isakmp-profile branchoffice-ike
!
interface Tunnel0
ip vrf forwarding GREEN
ip address 172.16.4.4 255.255.255.0
tunnel source FastEthernet4
tunnel destination A.B.C.D
tunnel mode ipsec ipv4
tunnel protection ipsec profile branchoffice-profile
!
interface FastEthernet4
description internet WAN link
ip address X.Y.W.Z 255.255.255.224
duplex auto
speed auto
!
interface Vlan1
description cust1 private VRF
ip vrf forwarding GREEN
ip address 192.168.42.19 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.Y.W.V
ip route vrf GREEN 0.0.0.0 0.0.0.0 172.16.4.5
--
Meetings Coordinator, Michigan Association of Railroad Passengers
537 Shirley St NE Grand Rapids, MI 49503-1754 Phone: 616.581.8010
E-mail: ***@whitemice.org GPG#D95ED383 Web: http://www.marp.org
Meetings Coordinator, Michigan Association of Railroad Passengers
537 Shirley St NE Grand Rapids, MI 49503-1754 Phone: 616.581.8010
E-mail: ***@whitemice.org GPG#D95ED383 Web: http://www.marp.org