[Swan] VTI support
Xinwei Hong
xhong at skytap.com
Wed Jul 6 20:48:09 UTC 2016
Hi,
I'm trying to play around VTI support. I have the following conf in
/etc/ipsec.conf
conn routed-vpn
left=10.2.128.241
right=10.2.128.240
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
ike=aes128-sha1;modp4096
esp=aes128-sha1
type=tunnel
authby=secret
auth=esp
keyexchange=ike
keyingtries=2
disablearrivalcheck=no
ikev2=no
auto=add
# route-based VPN requires marking and an interface
mark=5/0xffffffff
vti-interface=vti01
# do not setup routing because we don't want to send 0.0.0.0/0 over the
tunnel
vti-routing=no
Do we need anything else in the ipsec.conf file such as:
config setup
protostack=netkey
interfaces="vti01=eth1"
plutodebug=all
Note that I want to have a route-based VPN via netkey/pluto. I have setup
/etc/ipsec.secrets to have PSK on both ends.
If I run "ipsec start"
I got:
Redirecting to: start ipsec
start: Job failed to start
So, I should not start ipsec that way?
If I run:
ipsec pluto --stderrlog --config /etc/ipsec.conf
I got:
both ends looks fine.
"Ipsec status" gets the following:
000 Connection list:
000
000 "routed-vpn": 0.0.0.0/0===10.2.128.240
<10.2.128.240>...10.2.128.241<10.2.128.241>===0.0.0.0/0; unrouted; eroute
owner: #0
000 "routed-vpn": unoriented; my_ip=unset; their_ip=unset
000 "routed-vpn": xauth us:none, xauth them:none, my_username=[any];
their_username=[any]
000 "routed-vpn": modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "routed-vpn": labeled_ipsec:no;
000 "routed-vpn": policy_label:unset;
000 "routed-vpn": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2;
000 "routed-vpn": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "routed-vpn": sha2_truncbug:no; initial_contact:no; cisco_unity:no;
fake_strongswan:no; send_vendorid:no;
000 "routed-vpn": policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "routed-vpn": conn_prio: 0,0; interface: ; metric: 0; mtu: unset;
sa_prio:auto;
000 "routed-vpn": nflog-group: unset; mark: 5/0xffffffff, 5/0xffffffff;
vti-iface: vti01; vti-routing: no
000 "routed-vpn": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "routed-vpn": IKE algorithms wanted:
AES_CBC(7)_128-SHA1(2)-MODP4096(16)
000 "routed-vpn": IKE algorithms found:
AES_CBC(7)_128-SHA1(2)-MODP4096(16)
000 "routed-vpn": ESP algorithms wanted: AES(12)_128-SHA1(2)
000 "routed-vpn": ESP algorithms loaded: AES(12)_128-SHA1(2)
000
000 Total IPsec connections: loaded 1, active 0
Ip link does not show interface vti01. but it has the following:
19: ip_vti0 at NONE: <NOARP,UP,LOWER_UP> mtu 1332 qdisc noqueue state UNKNOWN
mode DEFAULT group default
link/ipip 0.0.0.0 brd 0.0.0.0
what is the ip_vti0 here?
No connection can be made between two ends.
Can anybody tell me what I'm doing wrong here and how to fix it?
Thanks,
Xinwei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160706/fb90c827/attachment.html>
More information about the Swan
mailing list