<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
OK, so nobody knows about this. So how about more general help. How
do I configure strongSwan to connect with a Cisco vti vpn?<br>
<br>
Regards,<br>
Brad<br>
<br>
<div class="moz-cite-prefix">On 04/25/2014 10:33 AM, Brad Johnson
wrote:<br>
</div>
<blockquote cite="mid:535A8054.7000201@ecessa.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
I am trying to get StrongSwan working together with VTI type links
or tunnels for more flexibility with marking and routing VPN
traffic. We are running a Gentoo distro with StrongSwan version
5.1.2 and kernel 3.10.26. I need to figure out how to properly
associate a VTI type link with an ipsec SA and policy. I have
successfully connected a SA with 'mark_in=32' and 'mark_out=32' in
the conn section of ipsec.conf, and added the proper iptables
mangle prerouting rules to mark inbound and outbound packets (' -j
MARK --set-mark 32'). With that I can successfully ping end-to-end
over the VPN (from host behind one router to host behind the
remote router).<br>
Now I have created a VTI link like this:<br>
# ip link add vti0 type vti local x.x.x.x remote y.y.y.y ikey 32
okey 32<br>
<br>
And I have tried many ways to associate this link with my ipsec SA
without success. And after much searching the Internet I have
found very little help. According to this linux kernel patch: <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.spinics.net/lists/netdev/msg253134.html">http://www.spinics.net/lists/netdev/msg253134.html</a>
it seems there should be no need for additional iptables marking
rules, but after following the instructions there I still could
not get it to work.<br>
<br>
Any help with this would be greatly appreciated.<br>
<br>
</blockquote>
<br>
</body>
</html>