You are not logged in.

#1 2017-07-22 03:50:15

jayendra
Member
Registered: 2016-06-10
Posts: 39

IPSec tunnel established but no ip-address assigned to vpn interface?

I am using l2tp-ipsec vpn with a pre-shared key to connect my work-environment.  The ipsec implementation I am using is from libreswan.
I have followed IPsec_VPN_client_setup   to set-up the connection.

[jay@alienware ~]$ sudo systemctl start ipsec
[sudo] password for jay: 
[jay@alienware ~]$ sudo systemctl start xl2tpd.service 
[jay@alienware ~]$ sudo ipsec auto --add work
002 "work": deleting non-instance connection
002 added connection description "work"
[jay@alienware ~]$ sudo ipsec auto --up work
002 "work" #1: initiating Main Mode
104 "work" #1: STATE_MAIN_I1: initiate
002 "work" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "work" #1: STATE_MAIN_I2: sent MI2, expecting MR2
010 "work" #1: STATE_MAIN_I2: retransmission; will wait 500ms for response
002 "work" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "work" #1: STATE_MAIN_I3: sent MI3, expecting MR3
010 "work" #1: STATE_MAIN_I3: retransmission; will wait 500ms for response
002 "work" #1: Main mode peer ID is ID_IPV4_ADDR: '180.211.105.234'
002 "work" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "work" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1024}
002 "work" #2: initiating Quick Mode PSK+ENCRYPT+DONT_REKEY+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:880c0dee proposal=defaults pfsgroup=no-pfs}
117 "work" #2: STATE_QUICK_I1: initiate
002 "work" #2: byte 7 of ISAKMP NAT-OA Payload should have been zero, but was not (ignored)
002 "work" #2: byte 8 of ISAKMP NAT-OA Payload should have been zero, but was not (ignored)
002 "work" #2: byte 7 of ISAKMP NAT-OA Payload should have been zero, but was not (ignored)
002 "work" #2: byte 8 of ISAKMP NAT-OA Payload should have been zero, but was not (ignored)
003 "work" #2: NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed
002 "work" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "work" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0x025a9f5d <0xb9efc96d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=180.211.105.234:4500 DPD=active}

looking at IPsec SA established transport mode , I am assuming that ipsec tunnel is established.

should it be transport mode or tunnel mode ?

later listing the network interfaces I can find the interface there

[jay@alienware ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp59s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 84:7b:eb:3a:38:26 brd ff:ff:ff:ff:ff:ff
3: wlp60s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 9c:b6:d0:0d:75:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.101/24 brd 192.168.0.255 scope global dynamic wlp60s0
       valid_lft 6793sec preferred_lft 6793sec
    inet6 fe80::59f5:4465:15a7:c01c/64 scope link 
       valid_lft forever preferred_lft forever
4: ip_vti0@NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0

here ip_vti0 is the new interface created by the tunnel, but why no ip-address is assigned to it?
shouldn't it get a valid address from subnet of vpn?

Last edited by jayendra (2017-07-22 03:52:07)

Offline

Board footer

Powered by FluxBB