<div dir="ltr">Hi,<div><br></div><div>I'm trying to play around VTI support. I have the following conf in /etc/ipsec.conf</div><div>
<p><span>conn routed-vpn</span></p>
<p><span> left=10.2.128.241</span></p>
<p><span> right=10.2.128.240</span></p>
<p> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br></p>
<p><span> rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></span></p>
<p><span> ike=aes128-sha1;modp4096</span></p>
<p><span> esp=aes128-sha1</span></p>
<p><span> type=tunnel</span></p>
<p><span> authby=secret</span></p>
<p><span> auth=esp</span></p>
<p><span> keyexchange=ike</span></p>
<p><span> keyingtries=2</span></p>
<p><span> disablearrivalcheck=no</span></p>
<p><span> ikev2=no</span></p>
<p><span> auto=add</span></p>
<p><span> # route-based VPN requires marking and an interface</span></p>
<p><span> mark=5/0xffffffff</span></p>
<p><span> vti-interface=vti01</span></p>
<p><span> # do not setup routing because we don't want to send <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> over the tunnel</span></p>
<p><span> vti-routing=no</span></p><p>Do we need anything else in the ipsec.conf file such as:</p><p><span>config setup</span></p><p><span> protostack=netkey</span></p><p><span> interfaces="vti01=eth1"</span></p><p>
</p><p><span> plutodebug=all</span></p><p><span>Note that I want to have a route-based VPN via netkey/pluto. I have setup /etc/ipsec.secrets to have PSK on both ends.</span></p><p><span>If I run "</span>ipsec start"</p><p>I got:</p>
<p><span>Redirecting to: start ipsec</span></p>
<p><span>start: Job failed to start</span></p><p><span>So, I should not start ipsec that way?</span></p><p><span><br></span></p><p><span>If I run:</span></p><p><span>ipsec pluto --stderrlog --config /etc/ipsec.conf </span></p><p><span>I got:</span></p><p>both ends looks fine. </p><p>"Ipsec status" gets the following:</p><p class=""><span class="">000 Connection list:</span></p><p class=""><span class="">000 </span></p><p class=""><span class="">000 "routed-vpn": <a href="http://0.0.0.0/0===10.2.128.240">0.0.0.0/0===10.2.128.240</a><10.2.128.240>...10.2.128.241<10.2.128.241>===<a href="http://0.0.0.0/0">0.0.0.0/0</a>; unrouted; eroute owner: #0</span></p><p class=""><span class="">000 "routed-vpn": unoriented; my_ip=unset; their_ip=unset</span></p><p class=""><span class="">000 "routed-vpn": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]</span></p><p class=""><span class="">000 "routed-vpn": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;</span></p><p class=""><span class="">000 "routed-vpn": labeled_ipsec:no;</span></p><p class=""><span class="">000 "routed-vpn": policy_label:unset;</span></p><p class=""><span class="">000 "routed-vpn": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2;</span></p><p class=""><span class="">000 "routed-vpn": retransmit-interval: 500ms; retransmit-timeout: 60s;</span></p><p class=""><span class="">000 "routed-vpn": sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;</span></p><p class=""><span class="">000 "routed-vpn": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</span></p><p class=""><span class="">000 "routed-vpn": conn_prio: 0,0; interface: ; metric: 0; mtu: unset; sa_prio:auto;</span></p><p class=""><span class="">000 "routed-vpn": nflog-group: unset; mark: 5/0xffffffff, 5/0xffffffff; vti-iface: vti01; vti-routing: no</span></p><p class=""><span class="">000 "routed-vpn": newest ISAKMP SA: #0; newest IPsec SA: #0;</span></p><p class=""><span class="">000 "routed-vpn": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP4096(16)</span></p><p class=""><span class="">000 "routed-vpn": IKE algorithms found: AES_CBC(7)_128-SHA1(2)-MODP4096(16)</span></p><p class=""><span class="">000 "routed-vpn": ESP algorithms wanted: AES(12)_128-SHA1(2)</span></p><p class=""><span class="">000 "routed-vpn": ESP algorithms loaded: AES(12)_128-SHA1(2)</span></p><p class=""><span class="">000 </span></p><p>
</p><p class=""><span class="">000 Total IPsec connections: loaded 1, active 0</span></p><p><span>Ip link does not show interface vti01. but it has the following:</span></p><p class=""><span class="">19: ip_vti0@NONE: <NOARP,UP,LOWER_UP> mtu 1332 qdisc noqueue state UNKNOWN mode DEFAULT group default </span></p><p>
</p><p class=""><span class=""> link/ipip 0.0.0.0 brd 0.0.0.0</span></p><p class=""><span class="">what is the ip_vti0 here?</span></p><p class=""><span class="">No connection can be made between two ends.</span></p><p class=""><span class="">Can anybody tell me what I'm doing wrong here and how to fix it?</span></p><p class=""><br></p><p class="">Thanks,</p><p class="">Xinwei</p><p class=""><span class=""><br></span></p><p><span><br></span></p></div></div>