[Swan] VTI with IPv6 supposed to be working ?
Toerless Eckert
tte at cs.fau.de
Thu Sep 20 00:30:45 UTC 2018
Is VTI with IPv6 supposed to be working ?
My experience was that its not.
- I could not find any documentation saying whether it is or not.
- I could not find any examples with IPv6 and VTI either
- In some early tests i think i ended up with libreswan
creating an IP/IP VTI tunnel interface as opposed to an IPv6/IPv6
VTI tunnel interface.
- Afer upgrading everying (debian-sid/4.18.0 kernel, libreswan 3.25-1_b1),
libreswan does not at all generate a VTI interface when the connection
has an IPv6 config. Could also not see any errors/notes being generated
for the VTI when starting the connection (ipsec auto --up debianAB),
so no idea how to further troubleshoot.
- ipsec config:
conn debianAB
auto=add
authby=rsasig
leftsubnet=::/0
rightsubnet=::/0
mark=5/0xffffffff
vti-interface=vtiAB
vti-routing=no
leftid=@debianA
rightid=@debianB
left=2001:1::1
right=2001:1::2
leftrsasigkey=...
rightrsasigkey=...
- Commenting out all vti-* lines and setting up the IPv6 VTI interface
manually upfront works fine. Except that i picked libreswan over strongswan
because it looked as if it integrated/simplify use of VTI...
e.g.: (on debianA):
ip -6 tunnel add vtiAB local 2001:1::1 remote 2001:1::2 mode vti6 key 5
- If its not meant to work, it would be lovely to mention that in e.g.:
https://libreswan.org/wiki/Route-based_VPN_using_VTI
or better yet, have pluto throw an unsupported error when connnection
includes VTI with IPv6 config.
- If its meant to work, i welcome suggestion what additional
troubleshooting info i cold provide why it doesn't seem to work in my
(most simple) setup.
Thanks!
toerless
More information about the Swan
mailing list