I want to run OSPF over VTI interfaces using 2 x86 routers but facing some problems with connection marking mangle rules in prerouting. Topology is following
Site-1 Configuration:
IPSEC Conf:
/etc/ipsec.conf
conn Site1
left=192.168.50.1
right=192.168.50.2
auto=start
leftsubnet=0.0.0.0/0
type=tunnel
rightsubnet=0.0.0.0/0
keyingtries=%forever
leftauth=psk
rightauth=psk
ikelifetime=8h
ike=aes256-sha1-modp1536
esp=aes256-sha1
mark=100
ipsec.secrets:
%any %any : PSK "admin123"
VTI Conf
ip tunnel add vti1 mode vti local 192.168.50.1 remote 192.168.50.2 key 100
ip link set vti1 up
ip addr add 10.100.100.1/30 dev vti1
I have also changed the sysctl.conf value for VTI interfaces
net.ipv4.conf.vti1.disable_policy=1
OSPF Conf:
interface vti1
ip ospf mtu-ignore!
router ospf
network 10.100.100.1/32 area 0.0.0.0
network 192.168.10.0/24 area 0.0.0.0
By doing this I have found my tunnel is successfully established but I didn't get any point-to-point ping between my vti interfaces and OSPF neighbor is not getting up.
Then I got there are some prerouting rules appending in the mangle-Prerouting chain like this.
After flashing the rules from Prerouting ping on vti interfaces is running smoothly and OSPF neighbor is up immediately. But the pr-routing rules are appending every time when IP-Sec is initiated again. Is there any clue here on how to stop strongswan to insert the pre-routing rules in IP tables?