[Swan] leftvti - how to use it?
Paul Wouters
paul at nohats.ca
Tue Sep 12 19:43:48 UTC 2017
On Tue, 12 Sep 2017, Xinwei Hong wrote:
> conn conn_vpn
> authby=secret
> left=199.x.y.166
> right=199.x.y.159
> ike=aes256-sha1;modp1024
> phase2alg=aes256-sha1;modp1024
> ikelifetime=28800s
> salifetime=3600s
> leftsubnet=0.0.0.0/0
> rightsubnet=0.0.0.0/0
> type=tunnel
> mark=5/0xffffffff
> vti-interface=vti01
> vti-routing=no
> vti-shared=yes
> auto=start
> leftvti=10.100.0.1/16
>
> the other end is similar with leftvti=10.200.0.1/16.
>
> The VPN can be established successfully. However, I don't see the leftvti take effect. I was expecting I can ping 10.100.0.1 from the other end. Is this what we should
> expected? How to correctly config leftvti?
When you are using 0.0.0.0/0 tunnels, it is basically a routing based
tunnel. But since we cannot route 0.0.0.0/0 without imploding the
tunnel, we ask you to do vti-routing=no. But that means you still
need to provide a way for the packets you want to be tunneld to
route into the VTI device.
If you just want a tunnel that covers 10.200.0.0/16 <-> 10.100.0.0/16
then you should use those values as left/rightsubnet and
vti-routing=yes. And if your gateways already have the .1 IP
address, you don't need to add it using leftvti= either.
Paul
More information about the Swan
mailing list