[Swan] vti support

Paul Wouters paul at nohats.ca
Wed Jun 1 02:36:52 UTC 2016

On Wed, 1 Jun 2016, Charles Wyble wrote:

> Anyway I'm having a terrible time with VTI. I can't get packets to transit the tunnel. I'm hoping it's something incredibly stupid, and I'll get called out in 2 seconds...

Maybe :)

> So here's the Cisco side:

I cannot help you there, but:

> interface Tunnel0
> ip address
> tunnel source
> tunnel destination
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile VTI

> # Connection to rack at JUAF-SAT01
> conn    satx
>        left=        #ovh outside ip
>        leftsubnet=  #ovh network
>        #leftsubnet=
>        leftid=    #ikeid of ovh side
>        right=                 #IOS outside address
>        rightsubnet=        #network behind IOS
>        #rightsubnet=
>        rightid=             #IKEID sent by IOS
>        ike=aes128-sha1;modp4096
>        esp=aes128-sha1
>        type=tunnel
>        authby=secret
>        auth=esp
>        keyexchange=ike
>        keyingtries=2
>        disablearrivalcheck=no
>        ikev2=no
>        auto=start
>        mark=5/0xffffffff
>        vti-interface=vti01

You need to vti-routing=yes but I do believe that is the default.

But when you set the leftsubnet and rightsubnet, you limit the tunnel
to those IP ranges. Your ping:

> satx-rtr01#ping
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

is coming from, which doesn't fall within

If you type "ip route list" you will see that only got
routed into the vt01 device, and only those packets will end up getting

> 24: vti01 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1332 qdisc noqueue state UNKNOWN group default
>    link/ipip peer

That only shows you the gateway IP's to switch the VTI tunnel is bound.
You need to use "ip xfrm pol" (or actually ip -s xfrm pol) to see
which packets will match the policy to get encrypted for the IPsec SA.


More information about the Swan mailing list