[Swan] Various problems with VTI on Gentoo (with Cisco IOS as a client)

Paul Wouters paul at nohats.ca
Fri Sep 23 00:09:21 UTC 2016


On Tue, 20 Sep 2016, Reuben Farrelly wrote:

> Here's after a clean reboot:
>
> lightning ~ # ip route
> default via 139.162.51.1 dev eth0  metric 3
> 127.0.0.0/8 dev lo  scope host
> 127.0.0.0/8 via 127.0.0.1 dev lo
> 139.162.51.0/24 dev eth0  proto kernel  scope link  src 139.162.51.249
> lightning ~ #
>
> The VTI won't come up though.  It fails, as towards the end of the 
> negotiation the box loses connectivity with the peer and from the Cisco's 
> perspective never completes negotiation - so I had to add a route to cover 
> the peer's public subnet:
>
> 1.0.0.0/8 via 139.162.51.1 dev eth0

My guess is this would resolve your issue:

diff --git a/programs/_updown.netkey/_updown.netkey.in
b/programs/_updown.netkey/_updown.netkey.in
index 3031ac5..2fd1a83 100644
--- a/programs/_updown.netkey/_updown.netkey.in
+++ b/programs/_updown.netkey/_updown.netkey.in
@@ -481,9 +481,6 @@ doroute() {

      case "${PLUTO_PEER_CLIENT}" in
         "0.0.0.0/0")
-           # need to provide route that eclipses default, without
-           # replacing it.
-           it="ip route $1 0.0.0.0/1 ${parms2} && ip route $1
             128.0.0.0/1 ${parms2}"
             ;;
         *)
             it="ip route $1 ${parms} ${parms2}"


We should probably check for the conn doing VTI and skip it in that
case.

Can you test this and let me know?

Paul


More information about the Swan mailing list