[Swan] virtual tunnel interface (VTI) support

Ruben Laban r.laban+lists at ism.nl
Thu Oct 29 11:14:21 UTC 2015


On 29-10-2015 10:51, Paul Wouters wrote:
> On Thu, 29 Oct 2015, Tom Harbert wrote:
>
>> I am looking at migrating from Strongswan to libreswan on an Ubuntu
>> 14.04 system.
>>
>> # dpkg -l | grep libreswan
>> ii  libreswan                           1:3.14-1
>>   amd64        Internet Key
>> Exchange daemon
>>
>> Is it possible to implement IPSec over a virtual tunnel interfaces
>> (VTI) ?  In strongswan, to do this a
>> mark is set under the connection profile (mark=x) and this corresponds
>> to the tunnel interface key:
>>
>> $ ip link add $INTERFACE type vti local $LOCAL_IP remote $REMOTE_IP
>> key $KEY
>
> What is $INTERFACE filled in with? vtixx where xx is the mark?
> What is $KEY?

Based on my not-so-fruitful VTI research:

$INTERFACE would be an "arbitrary" name for the tunnel interface to be 
created.
$KEY would an "aribitrary" number which is to match with the key 
configured in the libreswan/Strongswan configuration (a bit like how 
fwmarks can be used to glue iptables and tc together).

>> AWS require VTI as opposed to GRE tunnels.
>
> I'm happy to write a patch to support this, but I'm not sure yet I fully
> understand the setup.

If only there'd be some decent documentation on VTI support in linux 
indeed :-(

Regards,
Ruben



More information about the Swan mailing list