[Swan] virtual tunnel interface (VTI) support
Ruben Laban
r.laban+lists at ism.nl
Thu Oct 29 11:14:21 UTC 2015
On 29-10-2015 10:51, Paul Wouters wrote:
> On Thu, 29 Oct 2015, Tom Harbert wrote:
>
>> I am looking at migrating from Strongswan to libreswan on an Ubuntu
>> 14.04 system.
>>
>> # dpkg -l | grep libreswan
>> ii libreswan 1:3.14-1
>> amd64 Internet Key
>> Exchange daemon
>>
>> Is it possible to implement IPSec over a virtual tunnel interfaces
>> (VTI) ? In strongswan, to do this a
>> mark is set under the connection profile (mark=x) and this corresponds
>> to the tunnel interface key:
>>
>> $ ip link add $INTERFACE type vti local $LOCAL_IP remote $REMOTE_IP
>> key $KEY
>
> What is $INTERFACE filled in with? vtixx where xx is the mark?
> What is $KEY?
Based on my not-so-fruitful VTI research:
$INTERFACE would be an "arbitrary" name for the tunnel interface to be
created.
$KEY would an "aribitrary" number which is to match with the key
configured in the libreswan/Strongswan configuration (a bit like how
fwmarks can be used to glue iptables and tc together).
>> AWS require VTI as opposed to GRE tunnels.
>
> I'm happy to write a patch to support this, but I'm not sure yet I fully
> understand the setup.
If only there'd be some decent documentation on VTI support in linux
indeed :-(
Regards,
Ruben
More information about the Swan
mailing list