[Swan] What ways're possible for bringing a VTI up?

Alex K. nsp.lists at gmail.com
Fri Jan 19 08:01:54 UTC 2018


Hello Paul, pleased to meet you.

I do have "auto=start" configured, but unfortunately, it behaves
differently.

The opposite end is also VTI on a Cisco router, and the VTI on my side does
not comes up, no matter what happens.

I tried to delete SAs on both sides (till there's no SA shown on my side,
using "ip xfrm state"), playing with right/left subnets and then generating
traffic accordingly (now the subnets are 0.0.0.0/0), issuing "ipsec whack
--listen", since sometimes I bring the tunnel down by unplugging the cable
and then Pluto does not resume listening automatically. All to no avail,
unfortunately. As far as I remember, debugs on Cisco side does not indicate
incoming re-establishment tries. At least, not full IKE negotiations (maybe
there's something, but very limited at most). What I discovered, is that
re-adding the connection and then using "--up" will bring it up, restarting
the IPSEC service will also bring it up automatically and (surprisingly, to
some extent) shutting Pluto down ("ipsec whack --shutdown").

Maybe I'm doing something wrong, that's why I'm seeking help here. Thank
you.

בתאריך 19 בינו' 2018 4:11 AM,‏ "Paul Wouters" <paul at nohats.ca> כתב:

> On Thu, 18 Jan 2018, Alex K. wrote:
>
> What are the possible ways to bring a Libreswan VTI up?
>>
>> Let me elaborate the situation a little bit - I have a Libreswan 3.21
>> compiled from sources on Debian Stretch as. Anyhow, I have a
>> basic VTI setup according to the example on Libreswan website.
>>
>
> Using the vti options in the connection is the best way. Then,
> the VTI interfaces are created/deleted when the tunnels go up
> or down. You can do things manually too using the "ip tun"
> command, but I wouldn't recommend it.
>
> On system startup, everything works just fine. The question is, how can I
>> bring the tunnel up (after say, a restart to the opposite
>> end), *without* manual intervention?
>>
>> Sure, I can always get to the box, get the terminal up and run "sudo
>> ipsec auto --add vti1", following "--up". But say I'm not on
>> site right now or wish to plan for better VPN recovery setup, what are my
>> possibilities? Can some traffic bring the VTI up? Is there
>> a keep alive/always up setting?
>>
>
> If you have auto=start, whenever the tunnel goes down, it will
> automatically try to restart. Even if the other end send you
> a delete request.
>
> When using auto=ondemand, if the tunnel goes down, it will only
> be brought back up when there is traffic to trigger the tunnel.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180119/b92bfc91/attachment.html>


More information about the Swan mailing list