[Swan] VTI support
Paul Wouters
paul at nohats.ca
Wed Jul 6 20:56:11 UTC 2016
On Wed, 6 Jul 2016, Xinwei Hong wrote:
> I'm trying to play around VTI support. I have the following conf in /etc/ipsec.conf
> # route-based VPN requires marking and an interface
> mark=5/0xffffffff
> vti-interface=vti01
> # do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
> vti-routing=no
You can also use vti-shared=no so the device is also deleted
automatically when the tunnel goes down.
> Do we need anything else in the ipsec.conf file such as:
>
> config setup
>
> protostack=netkey
>
> interfaces="vti01=eth1"
>
> plutodebug=all
No. the interfaces= line is used for KLIPS only and should not be used
for NETKEY/XFRM.
> Note that I want to have a route-based VPN via netkey/pluto. I have setup /etc/ipsec.secrets to have PSK on both ends.
>
> If I run "ipsec start"
>
> I got:
>
> Redirecting to: start ipsec
>
> start: Job failed to start
>
> So, I should not start ipsec that way?
That should work.
> If I run:
>
> ipsec pluto --stderrlog --config /etc/ipsec.conf
>
> I got:
>
> both ends looks fine.
>
> "Ipsec status" gets the following:
> 000 Total IPsec connections: loaded 1, active 0
It is loaded but not initiated. Try ipsec auto --up routed-vpn and see
if you get an error?
> what is the ip_vti0 here?
It's a kernel module thingy which you can ignore.
Paul
More information about the Swan
mailing list