[Swan] What ways're possible for bringing a VTI up?

Paul Wouters paul at nohats.ca
Fri Jan 19 02:11:46 UTC 2018


On Thu, 18 Jan 2018, Alex K. wrote:

> What are the possible ways to bring a Libreswan VTI up?
> 
> Let me elaborate the situation a little bit - I have a Libreswan 3.21 compiled from sources on Debian Stretch as. Anyhow, I have a
> basic VTI setup according to the example on Libreswan website.

Using the vti options in the connection is the best way. Then,
the VTI interfaces are created/deleted when the tunnels go up
or down. You can do things manually too using the "ip tun"
command, but I wouldn't recommend it.

> On system startup, everything works just fine. The question is, how can I bring the tunnel up (after say, a restart to the opposite
> end), *without* manual intervention?
> 
> Sure, I can always get to the box, get the terminal up and run "sudo ipsec auto --add vti1", following "--up". But say I'm not on
> site right now or wish to plan for better VPN recovery setup, what are my possibilities? Can some traffic bring the VTI up? Is there
> a keep alive/always up setting?

If you have auto=start, whenever the tunnel goes down, it will
automatically try to restart. Even if the other end send you
a delete request.

When using auto=ondemand, if the tunnel goes down, it will only
be brought back up when there is traffic to trigger the tunnel.

Paul


More information about the Swan mailing list