[Swan] VTI support
paul at nohats.ca
Wed Jul 6 20:56:11 UTC 2016
On Wed, 6 Jul 2016, Xinwei Hong wrote:
> I'm trying to play around VTI support. I have the following conf in /etc/ipsec.conf
> # route-based VPN requires marking and an interface
> # do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
You can also use vti-shared=no so the device is also deleted
automatically when the tunnel goes down.
> Do we need anything else in the ipsec.conf file such as:
> config setup
No. the interfaces= line is used for KLIPS only and should not be used
> Note that I want to have a route-based VPN via netkey/pluto. I have setup /etc/ipsec.secrets to have PSK on both ends.
> If I run "ipsec start"
> I got:
> Redirecting to: start ipsec
> start: Job failed to start
> So, I should not start ipsec that way?
That should work.
> If I run:
> ipsec pluto --stderrlog --config /etc/ipsec.conf
> I got:
> both ends looks fine.
> "Ipsec status" gets the following:
> 000 Total IPsec connections: loaded 1, active 0
It is loaded but not initiated. Try ipsec auto --up routed-vpn and see
if you get an error?
> what is the ip_vti0 here?
It's a kernel module thingy which you can ignore.
More information about the Swan