[Swan] vti support
paul at nohats.ca
Wed Jun 1 15:41:04 UTC 2016
On Wed, 1 Jun 2016, Roberto Suárez Soto wrote:
> Sorry to be late to the party, but I've just noticed this thread. Does VTI support mean that we don't have to use GRE+IPSec anymore? Do
> these tunnels support dynamic routing protocols, like RIP, BGP and OSPF? (specially considering that OSPF uses multicast)
If you use a routing based VPN from 0.0.0.0/0 to 0.0.0.0/0 then
you can dynamically route into the vti device to send traffic
over the tunnel:
When the connection comes up, you have a vti0 device. You can use
ip rule and ip route to do source and/or destination based routing
into the device to get those ranges encrypted and sent over the
Use vti-routing=yes if you just want to let libreswan do the routing
for you, which obviously cannot be done for 0/0 to 0/0 tunnels, but
can be done for simpler tunnels, like:
This will cause all packets destined for 10/8 to get encrypted without
any additional manual routing changes.
If people use this in a neat setup, please let us know because we would
like to add some example uses to our wiki.
Note: you need to use libreswan-3.18dr2 or git master for this feature.
We are planning to do the full 3.18 release later this week.
More information about the Swan