[Swan] VTI support

Xinwei Hong xhong at skytap.com
Wed Jul 6 20:48:09 UTC 2016


Hi,

I'm trying to play around VTI support. I have the following conf in
/etc/ipsec.conf

conn routed-vpn

    left=10.2.128.241

    right=10.2.128.240

    leftsubnet=0.0.0.0/0

    rightsubnet=0.0.0.0/0

    ike=aes128-sha1;modp4096

    esp=aes128-sha1

    type=tunnel

    authby=secret

    auth=esp

    keyexchange=ike

    keyingtries=2

    disablearrivalcheck=no

    ikev2=no

    auto=add

    # route-based VPN requires marking and an interface

    mark=5/0xffffffff

    vti-interface=vti01

    # do not setup routing because we don't want to send 0.0.0.0/0 over the
tunnel

    vti-routing=no

Do we need anything else in the ipsec.conf file such as:

config setup

    protostack=netkey

    interfaces="vti01=eth1"

    plutodebug=all

Note that I want to have a route-based VPN via netkey/pluto. I have setup
/etc/ipsec.secrets to have PSK on both ends.

If I run "ipsec start"

I got:

Redirecting to: start ipsec

start: Job failed to start

So, I should not start ipsec that way?


If I run:

ipsec pluto --stderrlog --config /etc/ipsec.conf

I got:

both ends looks fine.

"Ipsec status" gets the following:

000 Connection list:

000

000 "routed-vpn": 0.0.0.0/0===10.2.128.240
<10.2.128.240>...10.2.128.241<10.2.128.241>===0.0.0.0/0; unrouted; eroute
owner: #0

000 "routed-vpn":     unoriented; my_ip=unset; their_ip=unset

000 "routed-vpn":   xauth us:none, xauth them:none,  my_username=[any];
their_username=[any]

000 "routed-vpn":   modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;

000 "routed-vpn":   labeled_ipsec:no;

000 "routed-vpn":   policy_label:unset;

000 "routed-vpn":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2;

000 "routed-vpn":   retransmit-interval: 500ms; retransmit-timeout: 60s;

000 "routed-vpn":   sha2_truncbug:no; initial_contact:no; cisco_unity:no;
fake_strongswan:no; send_vendorid:no;

000 "routed-vpn":   policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;

000 "routed-vpn":   conn_prio: 0,0; interface: ; metric: 0; mtu: unset;
sa_prio:auto;

000 "routed-vpn":   nflog-group: unset; mark: 5/0xffffffff, 5/0xffffffff;
vti-iface: vti01; vti-routing: no

000 "routed-vpn":   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 "routed-vpn":   IKE algorithms wanted:
AES_CBC(7)_128-SHA1(2)-MODP4096(16)

000 "routed-vpn":   IKE algorithms found:
AES_CBC(7)_128-SHA1(2)-MODP4096(16)

000 "routed-vpn":   ESP algorithms wanted: AES(12)_128-SHA1(2)

000 "routed-vpn":   ESP algorithms loaded: AES(12)_128-SHA1(2)

000

000 Total IPsec connections: loaded 1, active 0

Ip link does not show interface vti01. but it has the following:

19: ip_vti0 at NONE: <NOARP,UP,LOWER_UP> mtu 1332 qdisc noqueue state UNKNOWN
mode DEFAULT group default

    link/ipip 0.0.0.0 brd 0.0.0.0

what is the ip_vti0 here?

No connection can be made between two ends.

Can anybody tell me what I'm doing wrong here and how to fix it?


Thanks,

Xinwei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160706/fb90c827/attachment.html>


More information about the Swan mailing list