[Swan] Various problems with VTI on Gentoo (with Cisco IOS as a client)

Reuben Farrelly reuben-libreswan at reub.net
Tue Sep 27 10:45:14 UTC 2016

On 27/09/2016 10:40 PM, Tuomo Soini wrote:

> On Tue, 27 Sep 2016 21:58:08 +1300
> Reuben Farrelly <reuben-libreswan at reub.net> wrote:
>> mtu=1438
> That one forces routing too.

Thanks Tuomo.  That looks much better now.  Is the MTU automatically 
calculated if it is not specified?

Paul - perhaps it could be noted on the wiki page that these options are 
not compatible with vti-routing=no .  It doesn't seem to be obvious that 
this is the case.

The one outstanding problem though is if we were to use (the default) 
vti-routing=yes, would we not want to insert a host route for the remote 
host/endpoint so that the data towards it leaves via the unencrypted 
interface?  Without it it appears we end up with a recursive routing 
situation where the traffic to reach the remote public device is via the 
tunnel itself.  Currently that route is not added and my observations a 
few days ago is that this behaviour breaks the tunnel once it has almost 
come up.  I was observing IKEv2 almost not quite going to completion on 
the client side and a loss of connectivity to the remote the moment 
after these routes were installed.


More information about the Swan mailing list