[Swan] libreswan-3.18dr2 with ipsec0 VTI interface and NAT OE support

Paul Wouters paul at nohats.ca
Fri May 20 13:22:53 UTC 2016 

It is created on the first tunnel establishment. It is not yet always deleted because we are still pondering how to deal with all use cases. Eg multiple tunnels sharing a device

Sent from my iPhone

> On May 20, 2016, at 07:19, Muenz, Michael <m.muenz at spam-fetish.org> wrote:
> 
>> Am 20.05.2016 um 11:20 schrieb Muenz, Michael:
>>> Am 13.05.2016 um 21:52 schrieb Paul Wouters:
>>> 
>>> Hi,
>>> 
>>> A lot of people have been asking us about VTI support for route-based
>>> VPN. We have an initial developer release ready to test that
>>> feature. Additionally, this VTI feature allows you to have an ipsec0
>>> interface like KLIPS would give you, where you can run tcpdump and
>>> iptables on the "clear" interface.
>>> 
>>> I wrote up a wiki page explaining the feature and how to configure it:
>>> 
>>> https://libreswan.org/wiki/Route-based_VPN_using_VTI
>> 
>> Hi,
>> 
>> what are the exact requirements?
> 
> Sorry, didn't realize it only comes up after successful SA :D
> 
> 
> May 20 11:16:48 debian pluto[1484]: "routed-vpn" #114: initiating Main Mode
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #114: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #114: STATE_MAIN_I2: sent MI2, expecting MR2
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #114: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #114: STATE_MAIN_I3: sent MI3, expecting MR3
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #114: Main mode peer ID is ID_IPV4_ADDR: 'x'
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #114: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #114: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #115: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#114 msgid:b39edce3 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #115: prepare-client output: creating vti interface
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #115: prepare-client output: net.ipv4.conf.vti01.disable_policy = 1
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #115: prepare-client output: net.ipv4.conf.vti01.rp_filter = 0
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #115: prepare-client output: net.ipv4.conf.vti01.forwarding = 1
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #115: route-client output: addvti called
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #115: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> May 20 11:17:20 debian pluto[1484]: "routed-vpn" #115: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xb7e67480 <0x552f8c27 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}
> 
> 
> Will play around a bit!
> 
> 
> Michael
> 
> 
> -- 
> www.muenz-it.de
> - Cisco, Linux, Networks
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list