[Swan] Various problems with VTI on Gentoo (with Cisco IOS as a client)
Tuomo Soini
tis at foobar.fi
Sun Sep 25 17:13:01 UTC 2016
On Mon, 19 Sep 2016 21:50:55 +1000
Reuben Farrelly <reuben-libreswan at reub.net> wrote:
> Hi,
>
> I've been experimenting today with Vti based configuration and run
> into a few problems.
>
> The libreswan config looks like this:
>
> conn router-2.reub.net
> left=139.162.51.249
> leftid=@lightning.reub.net
> leftsubnet=0.0.0.0/0
> leftsourceip=192.168.6.1
^^^^^^^^^^^^^^^^^^^^^^^^
Here is your config error. That always causes routing. So
vti-routing=no below is ignored because sourceip functionality doesn't
work at all without routing which forces routing.
> right=%any
> rightid=router-2 at reub.net
> rightsubnet=0.0.0.0/0
> authby=secret
> ikev2=insist
> ikelifetime=86400s
> salifetime=3600s
> ike=aes256-sha1;modp1536
> phase2alg=aes128-sha1;modp1536
> mtu=1438
> dpddelay=15
> dpdtimeout=45
> dpdaction=clear
> auto=add
> mark=12/0xffffff
> vti-interface=vti01
> vti-routing=no
> vti-shared=yes
So vti-routing=no doesn't disable routing because setting leftsourceip
already forced routing.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Swan
mailing list