Author Topic: no tun0 interface  (Read 2294 times)

wgoffman

  • Member
  • ***
  • Posts: 9
    • View Profile
no tun0 interface
« on: February 09, 2018, 05:28:14 PM »
hello

during my playground with tunnels on v4.2 (multiple networks routed via same tunnel) i made several resets (service, stats, datastore and app).

after that i found on both nodes interface tun0 disappeared. so i've wan0, eth1 and dummy0 interfaces only and a lot of error on tty7 (attached).

it's not a problem to rollback from snapshot or reinstall from image, just curious what could happened (kernel module fault?) and if somebody interested to dig it up.

thx
« Last Edit: February 09, 2018, 05:58:48 PM by wgoffman »

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 625
    • View Profile
Re: no tun0 interface
« Reply #1 on: February 09, 2018, 06:00:41 PM »
Any hostname changes?

The full output of: "sudo click /etc/wanos/wanos.click" would be useful in order to pinpoint the reason.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

wgoffman

  • Member
  • ***
  • Posts: 9
    • View Profile
Re: no tun0 interface
« Reply #2 on: February 09, 2018, 06:24:36 PM »
no, hostname was not changed since initial setup

tc@lob-wanos:~$ sudo click /etc/wanos/wanos.click
Info : <unknown> RSP header len: 8
SPI: invalid number
/etc/wanos/wanos.click:65: While configuring ‘encap_tunnel_rtable :: RadixIPsecLookup’:
  argument 2 should be 'ADDR/MASK [GATEWAY] OUTPUT'
SPI: invalid number
  argument 3 should be 'ADDR/MASK [GATEWAY] OUTPUT'
SPI: invalid number
  argument 4 should be 'ADDR/MASK [GATEWAY] OUTPUT'
/etc/wanos/wanos.click:140: While configuring ‘wanrx_tcpx_policymap :: IPClassifier’:
  warning: output 1 matches no packets
/etc/wanos/wanos.click:234: While configuring ‘StaticThreadSched@172 :: StaticThreadSched’:
  warning: thread preference 1 out of range
  warning: thread preference 1 out of range
Info : policymap Pattern:
  • src 0.0.0.0/0 and dst 0.0.0.0/0 and udp port 53

Info : policymap Pattern: [1] src 0.0.0.0/0 and dst 0.0.0.0/0 and icmp
Info : policymap Pattern: [2] src 0.0.0.0/0 and dst 0.0.0.0/0 and dst udp port > 16384
Info : policymap Pattern: [3] src 0.0.0.0/0 and dst 0.0.0.0/0 and tcp port 22 or 49 or 88 or 261 or 322 or 443 or 448 or 465 or 563 or 585 or 614 or 636 or 684 or 695 or 989 or 990 or 992 or 993 or 994 or 995 or 1701 or 1723 or 2252 or 2478 or 2479 or 2482 or 2484 or 2492 or 2679 or 2762 or 2998 or 3077 or 3078 or 3183 or 3191 or 3220 or 3269 or 3410 or 3424 or 3471 or 3496 or 3509 or 3529 or 3539 or 3660 or 3661 or 3713 or 3747 or 3864 or 3885 or 3896 or 3897 or 3995 or 4031 or 5007 or 5061 or 5723 or 7674 or 9802 or 11751 or 12109
Info : policymap Pattern: [4] src 0.0.0.0/0 and dst 0.0.0.0/0 and tcp port 7 or 23 or 37 or 107 or 179 or 513 or 514 or 1494 or 1718 or 1719 or 1720 or 2000 or 2001 or 2002 or 2003 or 2427 or 2598 or 2727 or 3389 or 5060 or 5631 or 5900 or 5901 or 5902 or 5903 or 6000
Info : policymap Pattern: [5] src 0.0.0.0/0 and dst 0.0.0.0/0 and tcp
/etc/wanos/wanos.click:304: While configuring ‘lanrx_tcpx_policymap :: IPClassifier’:
  warning: output 1 matches no packets
  warning: output 2 matches no packets
/etc/wanos/wanos.click:339: While configuring ‘StaticThreadSched@272 :: StaticThreadSched’:
  warning: thread preference 1 out of range
  warning: thread preference 1 out of range
  warning: thread preference 1 out of range
/etc/wanos/wanos.click:340: While configuring ‘StaticThreadSched@273 :: StaticThreadSched’:
  warning: thread preference 1 out of range
  warning: thread preference 1 out of range
  warning: thread preference 1 out of range
/etc/wanos/wanos.click:350: While configuring ‘StaticThreadSched@277 :: StaticThreadSched’:
  warning: thread preference 1 out of range
  warning: thread preference 1 out of range
/etc/wanos/wanos.click:50: While configuring ‘if_lan_traffic_is_to_tunnel_rtable/tunnel_rt :: RadixIPLookup’:
  warning: 2 routes replaced by later versions
Info : ft Peer added from config file: 172.20.101.11 1 ext-wanos xx-xx-xx-xx-xx-xx
Router could not be initialized!
« Last Edit: February 09, 2018, 07:02:42 PM by wgoffman »

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 625
    • View Profile
Re: no tun0 interface
« Reply #3 on: February 09, 2018, 09:04:33 PM »
Ok thank you very much for the useful info:

It appears to be an invalid SPI number in the IPSec configuration, which is part of the pre-shared key. Not sure how that is possible.

You can edit /etc/wanos/wanos.conf and change encapsulation to udp and it should be ok, then try to fix the IPsec rules.

Alternatively reset to defaults with:
/etc/wanos/clean.sh
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

wgoffman

  • Member
  • ***
  • Posts: 9
    • View Profile
Re: no tun0 interface
« Reply #4 on: February 09, 2018, 09:26:44 PM »
thx, changing ipsec-udp to udp helps. but it 'lost' tun0 as soon as i switched back udp to ipsec-udp in web interface.

so problem is in 3-in-1 ipsec-tunnel(s) with pre-shared key (3 networks via same tunnel) i've tried to set (see image attached).

thx

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 625
    • View Profile
Re: no tun0 interface
« Reply #5 on: February 10, 2018, 08:29:34 AM »
Ok, it looks like there is some check that should prevent switching from udp to ipsec when the pre-shared key is not configured. What is happening is there aren't any pre-shared keys configured, so the UI should not allow ipsec to be enabled, but because the exact steps used it managed to enable ipsec without the keys, hence the error that the SPI is invalid.

I think the following steps would be required:
1) switch to udp
2) delete all tunnel subnets
3) switch to udp-ipsec
4) add tunnels with a valid pre-shared key

We'll take a look at how it was possible to enable ipsec without valid pre-shared keys, as this should be prevented.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

wgoffman

  • Member
  • ***
  • Posts: 9
    • View Profile
Re: no tun0 interface
« Reply #6 on: February 11, 2018, 01:26:09 PM »
4) added tunnel with psk (35 random chars). rebooted one instance. both lost tun0.

wgoffman

  • Member
  • ***
  • Posts: 9
    • View Profile
Re: no tun0 interface
« Reply #7 on: February 15, 2018, 11:08:31 AM »
The problem was in 'pre-shared-key'. Exactly "the first 3 digits". No one reads the manual ;-)

I suppose javascript "check" be added for PSK field (35 chars, first 3 - digits).

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 625
    • View Profile
Re: no tun0 interface
« Reply #8 on: February 15, 2018, 12:11:02 PM »
Ok thank you very much for pointing this out. There are some javascript verification already, but it needs some extra checks to ensure 3 characters are digits
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

wgoffman

  • Member
  • ***
  • Posts: 9
    • View Profile
Re: no tun0 interface
« Reply #9 on: February 18, 2018, 10:41:31 AM »
Assuming "pre-shared key must be 35 characters long" and "first 3 digits of the pre-shared key signify the SPI and must be unique for each Tunnel Interface ID" why it's required to set 35-chars PSK key?

I'd ask for 32-chars key and concat tunnel's id (like '001') at the beginning of 'real' PSK.

Moreover - PSK already exists for 'second' tunnel (rule that use existing tunnel). So it's not required.

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 625
    • View Profile
Re: no tun0 interface
« Reply #10 on: February 18, 2018, 11:22:29 AM »
Thanks for the suggestion.

The reason tunnel id is not part of the SPI is because the SPI must match on both sides. Say for example a hub and spoke, the hub would have 5 tunnels, but the spoke would have 1. In order to make the suggestion work, which we considered initially, it would be required to teach the user to make the tunnel id match on both ends. We would like the learning curve to be as low as possible for the user.

The issue that it is possible to configure the SPI with chars and not digits, is an oversight.

What are your end goals in testing IPSec?
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

wgoffman

  • Member
  • ***
  • Posts: 9
    • View Profile
Re: no tun0 interface
« Reply #11 on: February 18, 2018, 12:10:37 PM »
Yep, i missed the point of different numbers (and IDs) of tunnels on each end.

I'm trying to test idea of "my own internet with blackjack and hookers". To connect several regional offices via regional hubs. We've sessions lost (for example - SAP sessions) on current platform with hardware-based VPNs.