[Swan] libreswan-3.18dr2 with ipsec0 VTI interface and NAT OE support

Muenz, Michael m.muenz at spam-fetish.org
Fri May 20 09:20:22 UTC 2016 

Am 13.05.2016 um 21:52 schrieb Paul Wouters:
>
> Hi,
>
> A lot of people have been asking us about VTI support for route-based
> VPN. We have an initial developer release ready to test that
> feature. Additionally, this VTI feature allows you to have an ipsec0
> interface like KLIPS would give you, where you can run tcpdump and
> iptables on the "clear" interface.
>
> I wrote up a wiki page explaining the feature and how to configure it:
>
> https://libreswan.org/wiki/Route-based_VPN_using_VTI 

Hi,

what are the exact requirements?
I've installed dr2 successfully on a Debian Jessie, Openstack 
environment, make deb, but there's no vti01 Interface:

May 20 09:14:58 debian pluto[1484]: NSS DB directory: sql:/etc/ipsec.d
May 20 09:14:58 debian pluto[1484]: NSS initialized
May 20 09:14:58 debian pluto[1484]: libcap-ng support [disabled]
May 20 09:14:58 debian pluto[1484]: FIPS HMAC integrity support [disabled]
May 20 09:14:58 debian pluto[1484]: Linux audit support [disabled]
May 20 09:14:58 debian pluto[1484]: Starting Pluto (Libreswan Version 
3.18dr2 XFRM(netkey) KLIPS USE_FORK USE_PTHREAD_SETSCHEDPRIO NSS DNSSEC 
USE_SYSTEMD_WATCHDOG XAUTH_PAM NETWORKMANAGER CURL(non-NSS) 
LDAP(non-NSS)) pid:1484
May 20 09:14:58 debian pluto[1484]: core dump dir: /var/run/pluto/
May 20 09:14:58 debian pluto[1484]: secrets file: /etc/ipsec.secrets
May 20 09:14:58 debian pluto[1484]: leak-detective disabled
May 20 09:14:58 debian pluto[1484]: NSS crypto [enabled]
May 20 09:14:58 debian pluto[1484]: XAUTH PAM support [enabled]
May 20 09:14:58 debian pluto[1484]: NAT-Traversal support  [enabled]
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC_SSH: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_SERPENT_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CTR: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_AES_GCM_A: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_AES_GCM_B: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_AES_GCM_C: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating 
DISABLED-OAKLEY_AES_XCBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_CAMELLIA_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_CAMELLIA_CTR: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_512: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_384: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_256: Ok
May 20 09:14:58 debian pluto[1484]: starting up 1 crypto helpers
May 20 09:14:58 debian pluto[1484]: started thread for crypto helper 0 
(master fd 10)
May 20 09:14:58 debian pluto[1484]: Using Linux XFRM/NETKEY IPsec 
interface code on 3.16.0-4-amd64
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
aes_ccm_8: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
aes_ccm_12: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
aes_ccm_16: Ok
May 20 09:14:59 debian pluto[1484]: added connection description 
"v6neighbor-hole-in"
May 20 09:14:59 debian pluto[1484]: added connection description 
"v6neighbor-hole-out"
May 20 09:14:59 debian pluto[1484]: added connection description 
"routed-vpn"
May 20 09:14:59 debian pluto[1484]: listening for IKE messages
May 20 09:14:59 debian pluto[1484]: adding interface eth0/eth0 X:500
May 20 09:14:59 debian pluto[1484]: adding interface eth0/eth0 X:4500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo 127.0.0.1:500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo 127.0.0.1:4500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo ::1:500
May 20 09:14:59 debian pluto[1484]: | setup callback for interface 
lo:500 fd 20
May 20 09:14:59 debian pluto[1484]: | setup callback for interface 
lo:4500 fd 19
May 20 09:14:59 debian pluto[1484]: | setup callback for interface 
lo:500 fd 18
May 20 09:14:59 debian pluto[1484]: | setup callback for interface 
eth0:4500 fd 17
May 20 09:14:59 debian pluto[1484]: | setup callback for interface 
eth0:500 fd 16
May 20 09:14:59 debian pluto[1484]: loading secrets from 
"/etc/ipsec.secrets"
May 20 09:14:59 debian pluto[1484]: reapchild failed with errno=10 No 
child processes

conn routed-vpn
     left=x
     right=y
     authby=secret
     leftsubnet=0.0.0.0/0
     rightsubnet=0.0.0.0/0
     auto=add
     # route-based VPN requires marking and an interface
     mark=5/0xffffffff
     vti-interface=vti01
     # do not setup routing because we don't want to send 0.0.0.0/0 over 
the tunnel
     vti-routing=no


x y : PSK "G4654DFGdfgjhhgsdDEdfghBNjuz"


Best regards
Michael

More information about the Swan mailing list