Ubuntu Pastebin

Paste from Ruben at Tue, 25 Aug 2015 19:11:41 +0000

Download as text 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
On east: 

ip link add vti1 type vti local 192.168.241.1 remote 192.168.241.2 okey 1

ip xfrm policy add dir out mark 1 tmpl src 192.168.241.1 dst 192.168.241.2 proto esp mode tunnel
ip xfrm policy add dir in  mark 1 tmpl src 192.168.241.2 dst 192.168.241.1 proto esp mode tunnel

ip xfrm state add src 192.168.241.1 dst 192.168.241.2 proto esp spi 1000 mode tunnel enc "cbc(aes)" "azertyuiopqsdfgh"
ip xfrm state add src 192.168.241.2 dst 192.168.241.1 proto esp spi 2000 mode tunnel enc "cbc(aes)" "sqbdhgqsdjqjsdfh"

echo 1 > /proc/sys/net/ipv4/conf/vti1/disable_policy
echo 1 > /proc/sys/net/ipv4/conf/vti1/disable_xfrm

ip a a 192.168.242.1/24 dev vti1
ip link set vti1 up




On west:

ip link add vti1 type vti local 192.168.241.2 remote 192.168.241.1 okey 1 

ip xfrm policy add dir out mark 1 tmpl src 192.168.241.2 dst 192.168.241.1 proto esp mode tunnel
ip xfrm policy add dir in  mark 1 tmpl src 192.168.241.1 dst 192.168.241.2 proto esp mode tunnel

ip xfrm state add src 192.168.241.1 dst 192.168.241.2 proto esp spi 1000 mode tunnel enc "cbc(aes)" "azertyuiopqsdfgh"
ip xfrm state add src 192.168.241.2 dst 192.168.241.1 proto esp spi 2000 mode tunnel enc "cbc(aes)" "sqbdhgqsdjqjsdfh"

echo 1 > /proc/sys/net/ipv4/conf/vti1/disable_policy
echo 1 > /proc/sys/net/ipv4/conf/vti1/disable_xfrm

ip a a 192.168.242.2/24 dev vti1
ip link set vti1 up



When pinging from 192.168.242.1 to 192.168.242.2 there's 2 possible scenarios:

1) ping returns destination unreachable immediately (icmp generated locally)
2) ping times out; ESP traffic reaches other node, but doesn't get decrypted and the vti1 device's error count goes up.
Download as text