<div dir="ltr">Hi,<div><br></div><div>I'm trying to play around VTI support. I have the following conf in /etc/ipsec.conf</div><div>







<p><span>conn routed-vpn</span></p>
<p><span>    left=10.2.128.241</span></p>
<p><span>    right=10.2.128.240</span></p>
<p>    leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br></p>
<p><span>    rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></span></p>
<p><span>    ike=aes128-sha1;modp4096</span></p>
<p><span>    esp=aes128-sha1</span></p>
<p><span>    type=tunnel</span></p>
<p><span>    authby=secret</span></p>
<p><span>    auth=esp</span></p>
<p><span>    keyexchange=ike</span></p>
<p><span>    keyingtries=2</span></p>
<p><span>    disablearrivalcheck=no</span></p>
<p><span>    ikev2=no</span></p>
<p><span>    auto=add</span></p>
<p><span>    # route-based VPN requires marking and an interface</span></p>
<p><span>    mark=5/0xffffffff</span></p>
<p><span>    vti-interface=vti01</span></p>
<p><span>    # do not setup routing because we don't want to send <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> over the tunnel</span></p>
<p><span>    vti-routing=no</span></p><p>Do we need anything else in the ipsec.conf file such as:</p><p><span>config setup</span></p><p><span>    protostack=netkey</span></p><p><span>    interfaces="vti01=eth1"</span></p><p>










</p><p><span>    plutodebug=all</span></p><p><span>Note that I want to have a route-based VPN via netkey/pluto. I have setup /etc/ipsec.secrets to have PSK on both ends.</span></p><p><span>If I run "</span>ipsec start"</p><p>I got:</p>








<p><span>Redirecting to: start ipsec</span></p>
<p><span>start: Job failed to start</span></p><p><span>So, I should not start ipsec that way?</span></p><p><span><br></span></p><p><span>If I run:</span></p><p><span>ipsec pluto --stderrlog --config /etc/ipsec.conf </span></p><p><span>I got:</span></p><p>both ends looks fine. </p><p>"Ipsec status" gets the following:</p><p class=""><span class="">000 Connection list:</span></p><p class=""><span class="">000  </span></p><p class=""><span class="">000 "routed-vpn": <a href="http://0.0.0.0/0===10.2.128.240">0.0.0.0/0===10.2.128.240</a><10.2.128.240>...10.2.128.241<10.2.128.241>===<a href="http://0.0.0.0/0">0.0.0.0/0</a>; unrouted; eroute owner: #0</span></p><p class=""><span class="">000 "routed-vpn":     unoriented; my_ip=unset; their_ip=unset</span></p><p class=""><span class="">000 "routed-vpn":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]</span></p><p class=""><span class="">000 "routed-vpn":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;</span></p><p class=""><span class="">000 "routed-vpn":   labeled_ipsec:no;</span></p><p class=""><span class="">000 "routed-vpn":   policy_label:unset;</span></p><p class=""><span class="">000 "routed-vpn":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2;</span></p><p class=""><span class="">000 "routed-vpn":   retransmit-interval: 500ms; retransmit-timeout: 60s;</span></p><p class=""><span class="">000 "routed-vpn":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;</span></p><p class=""><span class="">000 "routed-vpn":   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</span></p><p class=""><span class="">000 "routed-vpn":   conn_prio: 0,0; interface: ; metric: 0; mtu: unset; sa_prio:auto;</span></p><p class=""><span class="">000 "routed-vpn":   nflog-group: unset; mark: 5/0xffffffff, 5/0xffffffff; vti-iface: vti01; vti-routing: no</span></p><p class=""><span class="">000 "routed-vpn":   newest ISAKMP SA: #0; newest IPsec SA: #0;</span></p><p class=""><span class="">000 "routed-vpn":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP4096(16)</span></p><p class=""><span class="">000 "routed-vpn":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)-MODP4096(16)</span></p><p class=""><span class="">000 "routed-vpn":   ESP algorithms wanted: AES(12)_128-SHA1(2)</span></p><p class=""><span class="">000 "routed-vpn":   ESP algorithms loaded: AES(12)_128-SHA1(2)</span></p><p class=""><span class="">000  </span></p><p>



























</p><p class=""><span class="">000 Total IPsec connections: loaded 1, active 0</span></p><p><span>Ip link does not show interface vti01. but it has the following:</span></p><p class=""><span class="">19: ip_vti0@NONE: <NOARP,UP,LOWER_UP> mtu 1332 qdisc noqueue state UNKNOWN mode DEFAULT group default </span></p><p>








</p><p class=""><span class="">    link/ipip 0.0.0.0 brd 0.0.0.0</span></p><p class=""><span class="">what is the ip_vti0 here?</span></p><p class=""><span class="">No connection can be made between two ends.</span></p><p class=""><span class="">Can anybody tell me what I'm doing wrong here and how to fix it?</span></p><p class=""><br></p><p class="">Thanks,</p><p class="">Xinwei</p><p class=""><span class=""><br></span></p><p><span><br></span></p></div></div>