[Swan] IPv6 and VTI
paul at nohats.ca
Wed Jul 17 18:10:07 UTC 2019
On Tue, 16 Jul 2019, Paul Overton wrote:
> My wish to move from KLIPS (which has to date supported all the functionality needed), has been brought about because libreswan is dropping KLIPS. VTI was documented for libreswan, so I tried it. It works fine for IPv4, but some of my networks are 6 native, and I do have 6in6 ipsec tunnels. I like the ability to have defined interfaces from a firewalling perspective, so I ruled out native netkey many years ago.
As did many, which lead to VTI and then XFRMi.
> There seems to be very little documentation about XFRMi, and it appears to be very new, and not a production product as yet. I get the impression that some distro's don't support XFRMi as yet. Correct me if I am, wrong but it looks like you need a kernel version 5x to support XFRMi natively? Unless you patch and re-compile a version 4?
It is pretty new, but since the code is based on VTI, it is considered
stable in the upstream linux kernel.
> Which versions of libreswan support the new XFRMi directives. 3.6.27 did not recognise the following when tested.
We have not yet released a libreswan version with XFRMi support. We plan
to do this soon.
More information about the Swan