I am trying for a few days to create a VPN tunnel between 2 sites, but with no success.
Scenario
I have the following scenario:
Site A with the 192.168.1.0/24 IP addresses and a gateway GWA with the addresses 192.168.1.254 and a.b.c.d (Internet facing).
Site B with the 192.168.2.0/24 IP addresses and a gateway GWB with the addresses 192.168.2.254 and e.f.g.h(Internet facing).
XFRM Policies and States
I managed to add the states and policies for each gateway correctly (I think).
For GWA I used the following commands:
# policies in, out, fwd
ip xfrm policy add src 192.168.1.0/24 dst 192.168.2.0/24 dir out tmpl src a.b.c.d dst e.f.g.h proto esp reqid 0x99 mode tunnel
ip xfrm policy add src 192.168.2.0/24 dst 192.168.1.0/24 dir in tmpl src e.f.g.h dst a.b.c.d proto esp reqid 0x99 mode tunnel
ip xfrm policy add src 192.168.2.0/24 dst 192.168.1.0/24 dir fwd tmpl src e.f.g.h dst a.b.c.d proto esp reqid 0x99 mode tunnel<br>
# states
ip xfrm state add src a.b.c.d dst e.f.g.h proto esp spi 0x81 reqid 0x99 mode tunnel auth "hmac(sha256)" 0x01 enc "rfc3686(ctr(aes))" 0x02
ip xfrm state add src e.f.g.h dst a.b.c.d proto esp spi 0x82 reqid 0x99 mode tunnel auth "hmac(sha256)" 0x03 enc "rfc3686(ctr(aes))" 0x04
For GWB I used the following commands:
# policies in, out, fwd
ip xfrm policy add src 192.168.2.0/24 dst 192.168.1.0/24 dir out tmpl src e.f.g.h dst a.b.c.d proto esp reqid 0x99 mode tunnel
ip xfrm policy add src 192.168.1.0/24 dst 192.168.2.0/24 dir in tmpl src a.b.c.d dst e.f.g.h proto esp reqid 0x99 mode tunnel
ip xfrm policy add src 192.168.1.0/24 dst 192.168.2.0/24 dir fwd tmpl src a.b.c.d dst e.f.g.h proto esp reqid 0x99 mode tunnel<br>
# states
ip xfrm state add src a.b.c.d dst e.f.g.h proto esp spi 0x81 reqid 0x99 mode tunnel auth "hmac(sha256)" 0x01 enc "rfc3686(ctr(aes))" 0x02
ip xfrm state add src e.f.g.h dst a.b.c.d proto esp spi 0x82 reqid 0x99 mode tunnel auth "hmac(sha256)" 0x03 enc "rfc3686(ctr(aes))" 0x04
Routes
Each host from Site A knows to route packets destined for Site B via GWA.
Each host from Site B know to route packets destined for Site A via GWB.
Results
A packet sent from a host in Site A to a host in Site B arrives at GWA and is encrpyted (as a ESP packet). The ESP packet arrives at GWB and it's successfully decrypted, but it get's dropped.
What did I miss?
Do I need virtual/tunnel interfaces? (vti, tun, tap)
Do I need to add entries in iptables?
Are my xfrm commands correct?
I found the problem. My approach was correct, but because of a kernel bug (in many 5.2.x versions and also some 4.x versions) the ip xfrm tool didn't work properly.
A workaround was using strongswan/swanctl with their own IPSec implementation. For more see this: kernel-libsec plugin.
You will need to build and compile it yourself.
Related
my openwrt-x86 has been running for a while inside exsi virtual environment(it's a VM,eth0 eth1 is virtual NIC of exsi),and one day I tried to add a pass through port(eth2 physical) into this openwrt as a lan port so I can access the lan managed by this openwrt by physically connect a wire into eth2, but I found that I can got ip address and dhcp normally,but cannnot connect other ipaddress in the same lan except the openwrt itself and wan network.
my config file of openwrt was
root#OpenWrt:/etc/config# cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc8:982a:611a::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth2'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
option ipaddr '10.0.0.1'
option netmask '255.255.0.0'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option metric '5'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
for example I got 10.0.0.10 dhcp ipaddr by physically connected to eth2,then my wan network still fine I can go google,but when I tried ping 10.0.0.151(a vm that in openwrt's lan) and got icmp not reachable
[root#master1 ~]# ping 10.0.0.151
PING 10.0.0.151 (10.0.0.151) 56(84) bytes of data.
From 10.0.0.10 icmp_seq=1 Destination Host Unreachable
From 10.0.0.10 icmp_seq=2 Destination Host Unreachable
From 10.0.0.10 icmp_seq=3 Destination Host Unreachable
From 10.0.0.10 icmp_seq=4 Destination Host Unreachable
From 10.0.0.10 icmp_seq=5 Destination Host Unreachable
From 10.0.0.10 icmp_seq=6 Destination Host Unreachable
and the route table on 10.0.0.10 seems fine
[root#master1 ~]# ip route
default via 10.0.0.1 dev ens192 proto dhcp src 10.0.0.10 metric 100
10.0.0.0/16 dev ens192 proto kernel scope link src 10.0.0.10 metric 100
solved,due to Exsi set internal switch NIC
Promiscuous Mode =false
Forged Transmits =false
by default,so vm in virtual lan cannot receive ARP response delivered,enable them to make it works
Hi I'm working on a project and I had a question involving ping commands and how they interface over network TUN ports.
Basically I'm sending out ping requests which are routed to my TUN port and the reply's are sent to the TUN port over the VPN. There are no other internet interfaces (i.e. no wifi/ethernet). Using wireshark and tcpdump I can see that the correct reply messages are seen on the TUN0 port but terminal does not see the replys and instead shows 100% drop rate. The issue seems to be that the TUN0 port is not properly linking back to the kernal? (total guess I'm quite new to IP routing).
The IP address of the TUN is 10.0.0.73 and I am pinging a computer with IP address 10.0.0.28
Bellow is a snippet from the tcpdump on TUN0 this is a request and reply that to my untrained eye should work:
23:08:52.257566 IP (tos 0x0, ttl 64, id 11185, offset 0, flags [DF], proto ICMP (1), length 84)
10.0.0.73 > 10.0.0.28: ICMP echo request, id 24667, seq 2, length 64
23:09:11.508002 IP (tos 0x0, ttl 64, id 13315, offset 0, flags [none], proto ICMP (1), length 84)
10.0.0.28 > 10.0.0.73: ICMP echo reply, id 24667, seq 2, length 64
Based on other posts I checked my ip route list and the output is as such
pi#raspberrypi:~$ sudo ip route list
10.0.0.0/24 dev tun0 proto kernel scope link src 10.0.0.73
and the ifconfig is this:
pi#raspberrypi:~$ ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.0.73 P-t-P 10.0.0.73 Mask:255.255.255.0
...
Turns out the issue was that the replies were showing up in incorrect orders and greatly delayed, when I fixed the network connections this issue went away without changing any configurations in the iptables
My device is running on Debian OS strech version (not desktop).
I am not an IT personal, but a programmer. I need to know how to configure the network on the debian so both PPP cellular modem & the ethernet interface can access the internet.
There are 3 network interfaces:
1. Ethernet interface enp1s0: dhcp client. (gets ip from the dhcp server and access to the internet)
2. Ethernet interface snp2s0: static ip
3. Modem PPP: wvdial gets access to the internet using the modem
/etc/network/interface file:
auto lo
iface lo inet loopback
allow-hotplug enp1s0
iface enp1s0 inet dhcp
auto enp2s0
iface enp2s0 inet static
address 10.0.13.1
netmask 255.0.0.0
manual ppp0
iface ppp0 inet wvdial
ip route
default via 10.0.0.100 dev enp1s0
10.0.0.0/24 dev enp1s0 proto kernel scope link src 10.0.0.11
10.0.0.0/8 dev enp2s0 proto kernel scope link src 10.0.13.1
/etc/resolv.conf file:
domain mydomain.local
search mydomain.local
nameserver 10.0.0.3
/etc/wvdial.conf file:
[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0
Init3 = AT+CGDCONT=1,"IP","internetg"
Init4 = AT+CGATT=1
Phone = *99***1#
Modem Type = USB Modem
Baud = 460800
New PPPD = yes
Modem = /dev/ttyACM2
ISDN = 0
Password = ''
Username = ''
Auto DNS = Off
/etc/ppp/peers/wvdial file:
noauth
name wvdial
usepeerdns
Problem:
1. My device is running and enp1s0 is connected to the internet. (modem is down)
2. I then run command to perform dialup of the ppp: ifup ppp0
3. As a result the device ppp0 appears in the 'ip a' command, but the ethernet interface enp1s0 is not connected to the internet anymore and also the modem is not connected, but has ip which means there is some problem with routing table and/or dns.
After dialup the ip route table does not have any default/rule for the PPP.
ip route:
default via 10.0.0.100 dev enp1s0
10.0.0.0/24 dev enp1s0 proto kernel scope link src 10.0.0.11
10.0.0.0/8 dev enp2s0 proto kernel scope link src 10.0.13.1
After dialup I noticed that the /etc/resolv.conf file changed and the dns of the ethernet interface is deleted and now appears the PPP dns entries:
/etc/resolv.conf
nameserver 194.90.0.11
nameserver 212.143.0.11
domain mydomain.local
search mydomain.local
The network should behave as follows:
1. If both PPP and ethernet interface are up, then both should have access to the internet at the same time
2. If only 1 of the devices are up (PPP or ethernet interface) then it should work
3. Dialup/Dialdown should not affect the ethernet connection to the internet
What are the exact commands needed and file configuration in order to be able to have PPP and ethernet interface enp1s0 work at the same time?
- ip routing table
- dns
- wvdial
for default route, add defaultroute and replacedefaultroute option to /etc/ppp/peers/wvdial file.
I need to reach an external IPv6 address from a network namespace.
In my host I have setup a SIT tunnel (IPv6-in-IPv4) that does tunnelling of IPv6 packets and sends it through the default interface (eth0). The SIT tunnel relies on the Hurricane Electric tunnel broker service. I can ping an external IPv6 address from the host.
$ ping6 ipv6.google.com
PING ipv6.google.com(lis01s13-in-x0e.1e100.net) 56 data bytes
64 bytes from lis01s13-in-x0e.1e100.net: icmp_seq=1 ttl=57 time=98.1 ms
64 bytes from lis01s13-in-x0e.1e100.net: icmp_seq=2 ttl=57 time=98.7 ms
Here are some details about the tunnel:
$ ip -6 route sh
2001:470:1f14:10be::/64 dev he-ipv6 proto kernel metric 256
default dev he-ipv6 metric 1024
Here comes the interesting part. For reasons that are beyond the scope of this question, I need to do the same thing (ping ipv6.google.com) from within a network namespace.
Here is how I create and setup my network namespace:
ns1.sh
#!/bin/bash
set -x
if [[ $EUID -ne 0 ]]; then
echo "You must run this script as root."
exit 1
fi
# Create network namespace 'ns1'.
ip netns del ns1 &>/dev/null
ip netns add ns1
# Create veth pair.
ip li add name veth1 type veth peer name vpeer1
# Setup veth1 (host).
ip -6 addr add fc00::1/64 dev veth1
ip li set dev veth1 up
# Setup vpeer1 (network namespace).
ip li set dev vpeer1 netns ns1
ip netns exec ns1 ip li set dev lo up
ip netns exec ns1 ip -6 addr add fc00::2/64 dev vpeer1
ip netns exec ns1 ip li set vpeer1 up
# Make vpeer1 default gw.
ip netns exec ns1 ip -6 route add default dev vpeer1
# Get into ns1.
ip netns exec ns1 /bin/bash --rcfile <(echo "PS1=\"ns1> \"")
Then I run ns1.sh and ping veth1 (fc00::1) vpeer1 (fc00::2) from 'ns1'.
ns1> ping6 fc00::1
PING fc00::1(fc00::1) 56 data bytes
64 bytes from fc00::1: icmp_seq=1 ttl=64 time=0.075 ms
^C
ns1> ping6 fc00::2
PING fc00::2(fc00::2) 56 data bytes
64 bytes from fc00::2: icmp_seq=1 ttl=64 time=0.056 ms
However, if I try to ping an external IPv6 address:
ns1> ping6 2a00:1450:4004:801::200e
PING 2a00:1450:4004:801::200e(2a00:1450:4004:801::200e) 56 data bytes
^C
--- 2a00:1450:4004:801::200e ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms
All packets are loss.
I opened veth1 with tcpdump and checked what's going on. What I'm seeing is that Neighbor Solicitation packets are reaching the interface. These packets are trying to resolve the MAC address of the the IPv6 destination address:
$ sudo tcpdump -qns 0 -e -i veth1
IPv6, length 86: fc00::2 > ff02::1:ff00:200e: ICMP6, neighbor solicitation,
who has 2a00:1450:4004:801::200e, length 32
IPv6, length 86: fc00::2 > ff02::1:ff00:200e: ICMP6, neighbor solicitation,
who has 2a00:1450:4004:801::200e, length 32
I don't really understand why this is happening. I have enabled IPv6 forwarding in the host too but it had no effect:
$ sudo sysctl -w net.ipv6.conf.default.forwarding=1
Thanks for reading this question. Suggestions welcome :)
EDIT:
Routing table in the host:
2001:470:1f14:10be::/64 dev he-ipv6 proto kernel metric 256
fc00::/64 dev veth1 proto kernel metric 256
default dev he-ipv6 metric 1024
I added a NDP proxy in the host, that solves the NDP solicitations. Still the address is not reachable from the nsnet (looking into this):
sudo sysctl -w net.ipv6.conf.all.proxy_ndp=1
sudo ip -6 neigh add proxy 2a00:1450:4004:801::200e dev veth1
ULAs are not routable
You have given an Unique Local Address (fc00::2) to the network namespace: this IP address is not routable in the global internet but only in your local network.
When your ISP receives the ICMP packet coming from this address it will drop it. Even if this packet was successfully reaching ipv6.google.com, it could not possibly send the answer back to you because there is no announced route for this IP address.
Routing table problem (NDP notications)
You get NDP notifications because of this line:
ip netns exec ns1 ip -6 route add default dev vpeer1
which tells the kernel that (in the netns) all IP address are directly connected on the vpeer1 interface. The kernel thinks that this IP address is present on the Ethernet link: that's why it's trying to resolve its MAC address with NDP.
Instead, you want to say that they are reachable through a given router (in your case, the router is your host):
ip netns exec ns1 ip -6 route add default dev vpeer1 via $myipv6
Solutions
You can either:
associate an public IPv6 address (of your public IPv6 prefix) to your netns and setup a NDP proxy on the host for this address;
subnet your IPv6 prefix and route a subnet to your host (if you can);
use NAT (bad, ugly, don't do that).
You should be able to achieve the first one using something like this:
#!/bin/bash
set -x
myipv6=2001:470:1f14:10be::42
peeripv6=2001:470:1f14:10be::43
#Create the netns:
ip netns add ns1
# Create and configure the local veth:
ip link add name veth1 type veth peer name vpeer1
ip -6 address add $myipv6/128 dev veth1
ip -6 route add $peeripv6/128 dev veth1
ip li set dev veth1 up
# Setup vpeer1 in the netns:
ip link set dev vpeer1 netns ns1
ip netns exec ns1 ip link set dev lo up
ip netns exec ns1 ip -6 address add $peeripv6/128 dev vpeer1
ip netns exec ns1 ip -6 route add $myipv6/128 dev vpeer1
ip netns exec ns1 ip link set vpeer1 up
ip netns exec ns1 ip -6 route add default dev vpeer1 via $peeripv6
# IP forwarding
sysctl -w net.ipv6.conf.default.forwarding=1
# NDP proxy for the netns
ip -6 neigh add proxy $myipv6 dev veth1
I have two PC in same subnet and connected via switch. When I do arp -a the other IP address is shown but I cant ping the other PC.
It is shown in arp, but maybe it is cached, and currently not reachable. Try the following command, which outputs its current cache state:
ip neigh
For example, on my personal laptop, I have a wireless adapter (wlan0) and a wired one (eth0), both connected to the same network (my home router). With arp -a it displays
? (192.168.1.1) en xx:xx:xx:xx:xx:xx [ether] en wlan0
? (192.168.1.1) en xx:xx:xx:xx:xx:xx [ether] en eth0
and with ip neigh it shows
192.168.1.1 dev wlan0 lladdr xx:xx:xx:xx:xx:xx STALE
192.168.1.1 dev eth0 lladdr xx:xx:xx:xx:xx:xx REACHABLE
As seen with ip neigh, the wireless one is in the STALE state, cause it is not being used, but arp -a does not displays it.