[Swan] IPv6 and VTI

Paul Overton Paul at trustedcyber.co.uk
Tue Jul 16 14:53:59 UTC 2019


Hi Paul,

Many thanks for your reply. 

My wish to move from KLIPS (which has to date supported all the functionality needed), has been brought about because libreswan is dropping KLIPS. VTI was documented for libreswan, so I tried it. It works fine for IPv4, but some of my networks are 6 native, and I do have 6in6 ipsec tunnels. I like the ability to have defined interfaces from a firewalling perspective, so I ruled out native netkey many years ago. 

There seems to be very little documentation about XFRMi, and it appears to be very new, and not a production product as yet. I get the impression that some distro's don't support XFRMi as yet. Correct me if I am, wrong but it looks like you need a kernel version 5x to support XFRMi natively? Unless you patch and re-compile a version 4?

Which versions of libreswan support the new XFRMi directives. 3.6.27 did not recognise the following when tested. 

leftiface-id
leftiface-ip
leftiface-mark

Many thanks



-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca] 
Sent: 15 July 2019 16:02
To: Paul Overton <Paul at trustedcyber.co.uk>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] IPv6 and VTI

On Mon, 15 Jul 2019, Paul Overton wrote:

> Does the current version of Libreswan support VTI for IPv6 tunnels ?

I don't think so?

> I am moving a number of servers to the latest version and switching 
> from KLIPS to Netkey+VTI, and found that one of my IPv6 machines did not create the VTI interface, it is possible also to do a 6 in 4 tunnel using VTI as well.

You should be moving to XFRMi interfaces. libreswan is working on adding support for that (we have an internal partial branch at the moment)

Information about XFRMi:

https://lwn.net/Articles/757391/
https://libreswan.org/wiki/XFRM_Interface_Development_Notes
https://workshop.linux-ipsec.org/2018/slides/IPSec_workshop_presentation_lrk.pdf

VTI has several structural limitations, and it will be fully replaced by XFRMi.

Paul


More information about the Swan mailing list