No RX packets on VTI interface for Strongswan IPSec in OpenWrt

Installing and Using OpenWrt
1 
I am having trouble in configuring route based strongswan IPSec tunnel.
Where I have configured VTI interface as follow: -


1.	VTI Tunnel:
ip tunnel add vti1 mode vti local 10.0.2.5 remote 50.237.99.99 key 42
ifconfig vti1 172.18.21.110 netmask 255.255.255.255 pointopoint 172.18.21.110
ip link set vti1 up


2.	Route Defined:
ip route add 192.168.51.0/24 dev vti1


3.	Sysctl Setting:
sysctl -w "net.ipv4.conf.vti1.disable_policy=1"
sysctl -w "net.ipv4.conf.vti1.rp_filter=0"
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0


4.	IPsec Status:
root@OpenWrt:~# ipsec status
Security Associations (1 up, 0 connecting):
gateway[1]: ESTABLISHED 13 seconds ago, 10.0.2.5[owrt]...50.237.99.99[fortinet]
gateway{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c449279c_i d08fbc3b_o
gateway{1}: 10.0.2.5/32 === 0.0.0.0/0
mgmt{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: ca76375f_i d08fbc3c_o
mgmt{2}: 172.18.21.110/32 === 0.0.0.0/0
root@OpenWrt:~#


5.	ping tcpdump on vti1:
root@OpenWrt:~# tcpdump -i vti1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vti1, link-type RAW (Raw IP), capture size 262144 bytes
11:20:42.236925 IP 172.18.21.110 > 192.168.51.230: ICMP echo request, id 20763, seq 22, length 64
11:20:43.237188 IP 172.18.21.110 > 192.168.51.230: ICMP echo request, id 20763, seq 23, length 64
11:20:44.237369 IP 172.18.21.110 > 192.168.51.230: ICMP echo request, id 20763, seq 24, length 64



6.	ping tcpdump on eth1 (packets are recived on eth1 -WAN interface):

root@OpenWrt:~# tcpdump -i eth1 'port 4500'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:22:49.263922 IP 10.0.2.5.4500 > 50-237-99-99.4500: UDP-encap: ESP(spi=0xd08fbc3c,seq=0x96), length 116
11:22:49.264803 IP 50-237-99-99.4500 > 10.0.2.5.4500: UDP-encap: ESP(spi=0xca76375f,seq=0x97), length 116
11:22:50.264121 IP 10.0.2.5.4500 > 50-237-99-99.4500: UDP-encap: ESP(spi=0xd08fbc3c,seq=0x97), length 116
11:22:50.264877 IP 50-237-99-99.4500 > 10.0.2.5.4500: UDP-encap: ESP(spi=0xca76375f,seq=0x98), length 116
11:22:51.264321 IP 10.0.2.5.4500 > 50-237-99-99.4500: UDP-encap: ESP(spi=0xd08fbc3c,seq=0x98), length 116
11:22:51.265118 IP 50-237-99-99.4500 > 10.0.2.5.4500: UDP-encap: ESP(spi=0xca76375f,seq=0x99), length 116


7.	NO RX packet
root@OpenWrt:~# ip -s tunnel
vti1: ip/ip remote 50.237.99.99 local 10.0.2.5 ttl inherit key 42
RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
0 0 0 0 0 0
TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
322 27048 0 0 0 0
root@OpenWrt:~#

I have followed the posts of @VincentR (Expert) to debug but not able to debug the issue further. Is this firewall issue as I can see the packets are being replied back (seen tcpdump on eth1).

Please help!!!!!!!!!!

2

Welcome to the OpenWRT forum,
I don't have a setup currently to look at things in details. There are two things that caught my eye.

1- I'm not too sure if this ifconfig is equivalent to the "ip addr add 172.18.21.110 dev vti1" which is in the other docs/threads:

2- and also why these two settings are not left alone:

3- If you think it's the firewall that is blocking your traffic, you could carefully and temporarily (at your own risk), stop it for a couple of seconds and see if the packets flow. Otherwise, you could add some debugging rules to your firewall to see where packets are stopped:

3

Thank you @VincentR . firewall service restart solves the problem. Thanks !!!!.

1 Like
4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.