[Swan] libreswan-3.18dr2 with ipsec0 VTI interface and NAT OE support
Muenz, Michael
m.muenz at spam-fetish.org
Fri May 20 09:20:22 UTC 2016
Am 13.05.2016 um 21:52 schrieb Paul Wouters:
>
> Hi,
>
> A lot of people have been asking us about VTI support for route-based
> VPN. We have an initial developer release ready to test that
> feature. Additionally, this VTI feature allows you to have an ipsec0
> interface like KLIPS would give you, where you can run tcpdump and
> iptables on the "clear" interface.
>
> I wrote up a wiki page explaining the feature and how to configure it:
>
> https://libreswan.org/wiki/Route-based_VPN_using_VTI
Hi,
what are the exact requirements?
I've installed dr2 successfully on a Debian Jessie, Openstack
environment, make deb, but there's no vti01 Interface:
May 20 09:14:58 debian pluto[1484]: NSS DB directory: sql:/etc/ipsec.d
May 20 09:14:58 debian pluto[1484]: NSS initialized
May 20 09:14:58 debian pluto[1484]: libcap-ng support [disabled]
May 20 09:14:58 debian pluto[1484]: FIPS HMAC integrity support [disabled]
May 20 09:14:58 debian pluto[1484]: Linux audit support [disabled]
May 20 09:14:58 debian pluto[1484]: Starting Pluto (Libreswan Version
3.18dr2 XFRM(netkey) KLIPS USE_FORK USE_PTHREAD_SETSCHEDPRIO NSS DNSSEC
USE_SYSTEMD_WATCHDOG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)
LDAP(non-NSS)) pid:1484
May 20 09:14:58 debian pluto[1484]: core dump dir: /var/run/pluto/
May 20 09:14:58 debian pluto[1484]: secrets file: /etc/ipsec.secrets
May 20 09:14:58 debian pluto[1484]: leak-detective disabled
May 20 09:14:58 debian pluto[1484]: NSS crypto [enabled]
May 20 09:14:58 debian pluto[1484]: XAUTH PAM support [enabled]
May 20 09:14:58 debian pluto[1484]: NAT-Traversal support [enabled]
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_AES_CTR: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_AES_GCM_A: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_AES_GCM_B: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_AES_GCM_C: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating
DISABLED-OAKLEY_AES_XCBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_CAMELLIA_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_CAMELLIA_CTR: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_384: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok
May 20 09:14:58 debian pluto[1484]: starting up 1 crypto helpers
May 20 09:14:58 debian pluto[1484]: started thread for crypto helper 0
(master fd 10)
May 20 09:14:58 debian pluto[1484]: Using Linux XFRM/NETKEY IPsec
interface code on 3.16.0-4-amd64
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
aes_ccm_12: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
aes_ccm_16: Ok
May 20 09:14:59 debian pluto[1484]: added connection description
"v6neighbor-hole-in"
May 20 09:14:59 debian pluto[1484]: added connection description
"v6neighbor-hole-out"
May 20 09:14:59 debian pluto[1484]: added connection description
"routed-vpn"
May 20 09:14:59 debian pluto[1484]: listening for IKE messages
May 20 09:14:59 debian pluto[1484]: adding interface eth0/eth0 X:500
May 20 09:14:59 debian pluto[1484]: adding interface eth0/eth0 X:4500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo 127.0.0.1:500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo 127.0.0.1:4500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo ::1:500
May 20 09:14:59 debian pluto[1484]: | setup callback for interface
lo:500 fd 20
May 20 09:14:59 debian pluto[1484]: | setup callback for interface
lo:4500 fd 19
May 20 09:14:59 debian pluto[1484]: | setup callback for interface
lo:500 fd 18
May 20 09:14:59 debian pluto[1484]: | setup callback for interface
eth0:4500 fd 17
May 20 09:14:59 debian pluto[1484]: | setup callback for interface
eth0:500 fd 16
May 20 09:14:59 debian pluto[1484]: loading secrets from
"/etc/ipsec.secrets"
May 20 09:14:59 debian pluto[1484]: reapchild failed with errno=10 No
child processes
conn routed-vpn
left=x
right=y
authby=secret
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
auto=add
# route-based VPN requires marking and an interface
mark=5/0xffffffff
vti-interface=vti01
# do not setup routing because we don't want to send 0.0.0.0/0 over
the tunnel
vti-routing=no
x y : PSK "G4654DFGdfgjhhgsdDEdfghBNjuz"
Best regards
Michael
More information about the Swan
mailing list