[Swan] VTI with IPv6 supposed to be working ?

Toerless Eckert tte at cs.fau.de
Thu Sep 20 00:30:45 UTC 2018


Is VTI with IPv6 supposed to be working ?

My experience was that its not.

- I could not find any documentation saying whether it is or not.

- I could not find any examples with IPv6 and VTI either

- In some early tests i think i ended up with libreswan
  creating an IP/IP VTI tunnel interface as opposed to an IPv6/IPv6
  VTI tunnel interface.

- Afer upgrading everying (debian-sid/4.18.0 kernel, libreswan 3.25-1_b1),
  libreswan does not at all generate a VTI interface when the connection
  has an IPv6 config. Could also not see any errors/notes being generated
  for the VTI when starting the connection (ipsec auto --up debianAB),
  so no idea how to further troubleshoot.

- ipsec config:
   conn debianAB
        auto=add
        authby=rsasig
        leftsubnet=::/0
        rightsubnet=::/0
        mark=5/0xffffffff
        vti-interface=vtiAB
        vti-routing=no
        leftid=@debianA
        rightid=@debianB
        left=2001:1::1
        right=2001:1::2
        leftrsasigkey=...
        rightrsasigkey=...

- Commenting out all vti-* lines and setting up the IPv6 VTI interface
  manually upfront works fine. Except that i picked libreswan over strongswan
  because it looked as if it integrated/simplify use of VTI...

  e.g.: (on debianA):
  ip -6 tunnel add vtiAB local 2001:1::1 remote 2001:1::2 mode vti6 key 5

- If its not meant to work, it would be lovely to mention that in e.g.:
  https://libreswan.org/wiki/Route-based_VPN_using_VTI
  or better yet, have pluto throw an unsupported error when connnection
  includes VTI with IPv6 config.

- If its meant to work, i welcome suggestion what additional
  troubleshooting info i cold provide why it doesn't seem to work in my
  (most simple) setup.

Thanks!
    toerless


More information about the Swan mailing list