[Swan] Various problems with VTI on Gentoo (with Cisco IOS as a client)

Tuomo Soini tis at foobar.fi
Sun Sep 25 17:13:01 UTC 2016


On Mon, 19 Sep 2016 21:50:55 +1000
Reuben Farrelly <reuben-libreswan at reub.net> wrote:

> Hi,
> 
> I've been experimenting today with Vti based configuration and run
> into a few problems.
> 
> The libreswan config looks like this:
> 
> conn router-2.reub.net
>          left=139.162.51.249
>          leftid=@lightning.reub.net
>          leftsubnet=0.0.0.0/0
>          leftsourceip=192.168.6.1
           ^^^^^^^^^^^^^^^^^^^^^^^^
Here is your config error. That always causes routing. So
vti-routing=no below is ignored because sourceip functionality doesn't
work at all without routing which forces routing.

>          right=%any
>          rightid=router-2 at reub.net
>          rightsubnet=0.0.0.0/0
>          authby=secret
>          ikev2=insist
>          ikelifetime=86400s
>          salifetime=3600s
>          ike=aes256-sha1;modp1536
>          phase2alg=aes128-sha1;modp1536
>          mtu=1438
>          dpddelay=15
>          dpdtimeout=45
>          dpdaction=clear
>          auto=add
>          mark=12/0xffffff
>          vti-interface=vti01
>          vti-routing=no
>          vti-shared=yes

So vti-routing=no doesn't disable routing because setting leftsourceip
already forced routing.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


More information about the Swan mailing list