[Swan-dev] libreswan-3.18dr2 with ipsec0 VTI interface and NAT OE support

Paul Wouters paul at nohats.ca
Fri May 13 19:52:45 UTC 2016


A lot of people have been asking us about VTI support for route-based
VPN. We have an initial developer release ready to test that
feature. Additionally, this VTI feature allows you to have an ipsec0
interface like KLIPS would give you, where you can run tcpdump and
iptables on the "clear" interface.

I wrote up a wiki page explaining the feature and how to configure it:


You can test this feature with libreswan-3.18dr2 or later:


We are really interested in feedback, especially for current KLIPS
users. Is this feature good enough for you to replace KLIPS' ipsec0
with a VTI based ipsec0 or not? If not, what support is missing?

Another exciting new feature is NAT support for Opportunistic Encryption
that can handle IP address conflicts. We will be updating our OE test
infrastructure and documentation soon.

Below follows the current changelog compared against 3.17.


v3.18 (unreleased)
* XFRM: Support for NAT OE Client Address Translation (leftcat=) [Antony]
* XFRM: Support for VTI using vti-interface= and vti-routing= [Paul/Tuomo]
* KLIPS: Fix for /proc/net/pf_key oops on < 4.4 [Erik Andersson]
* pluto: Fix use of ikev2_cert_req_fields [Lubomir Rintel]
* pluto: Extend mark= support for mark-in= and mark-out= [Paul]
* pluto: Add systemd watchdog support via USE_SYSTEMD_WATCHDOG [Matt/Paul]
* addconn: Find peer IP address when resolving default route [Daniel M. Weeks]
* building: the make variable NSSLIBS was renamed to NSS_LDFLAGS

More information about the Swan-dev mailing list