[Swan] VTI support

Paul Wouters paul at nohats.ca
Wed Jul 6 20:56:11 UTC 2016

On Wed, 6 Jul 2016, Xinwei Hong wrote:

> I'm trying to play around VTI support. I have the following conf in /etc/ipsec.conf

>     # route-based VPN requires marking and an interface
>     mark=5/0xffffffff
>     vti-interface=vti01
>     # do not setup routing because we don't want to send over the tunnel
>     vti-routing=no

You can also use vti-shared=no so the device is also deleted
automatically when the tunnel goes down.

> Do we need anything else in the ipsec.conf file such as:
> config setup
>     protostack=netkey
>     interfaces="vti01=eth1"
>     plutodebug=all

No. the interfaces= line is used for KLIPS only and should not be used

> Note that I want to have a route-based VPN via netkey/pluto. I have setup /etc/ipsec.secrets to have PSK on both ends.
> If I run "ipsec start"
> I got:
> Redirecting to: start ipsec
> start: Job failed to start
> So, I should not start ipsec that way?

That should work.

> If I run:
> ipsec pluto --stderrlog --config /etc/ipsec.conf 
> I got:
> both ends looks fine. 
> "Ipsec status" gets the following:

> 000 Total IPsec connections: loaded 1, active 0

It is loaded but not initiated. Try ipsec auto --up routed-vpn and see
if you get an error?

> what is the ip_vti0 here?

It's a kernel module thingy which you can ignore.


More information about the Swan mailing list