[Swan] vti support
Paul Wouters
paul at nohats.ca
Wed Jun 1 15:41:04 UTC 2016
On Wed, 1 Jun 2016, Roberto Suárez Soto wrote:
> Sorry to be late to the party, but I've just noticed this thread. Does VTI support mean that we don't have to use GRE+IPSec anymore? Do
> these tunnels support dynamic routing protocols, like RIP, BGP and OSPF? (specially considering that OSPF uses multicast)
If you use a routing based VPN from 0.0.0.0/0 to 0.0.0.0/0 then
you can dynamically route into the vti device to send traffic
over the tunnel:
conn vti
[...]
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
vti-interface=vti0
vti-routing=no
mark=5/0xffffffff
When the connection comes up, you have a vti0 device. You can use
ip rule and ip route to do source and/or destination based routing
into the device to get those ranges encrypted and sent over the
tunnel.
Use vti-routing=yes if you just want to let libreswan do the routing
for you, which obviously cannot be done for 0/0 to 0/0 tunnels, but
can be done for simpler tunnels, like:
conn vti
[...]
leftsubnet=0.0.0.0/0
rightsubnet=10.0.0.0/8
vti-interface=vti0
vti-routing=yes
mark=5/0xffffffff
This will cause all packets destined for 10/8 to get encrypted without
any additional manual routing changes.
If people use this in a neat setup, please let us know because we would
like to add some example uses to our wiki.
See: https://libreswan.org/wiki/Route-based_VPN_using_VTI
Note: you need to use libreswan-3.18dr2 or git master for this feature.
We are planning to do the full 3.18 release later this week.
Paul
More information about the Swan
mailing list