[strongSwan] Using StrongSwan with VTI devices
Brad Johnson
bjohnson at ecessa.com
Fri Apr 25 17:38:23 CEST 2014
I am trying to get StrongSwan working together with VTI type links or
tunnels for more flexibility with marking and routing VPN traffic. We
are running a Gentoo distro with StrongSwan version 5.1.2 and kernel
3.10.26. I need to figure out how to properly associate a VTI type link
with an ipsec SA and policy. I have successfully connected a SA with
'mark_in=32' and 'mark_out=32' in the conn section of ipsec.conf, and
added the proper iptables mangle prerouting rules to mark inbound and
outbound packets (' -j MARK --set-mark 32'). With that I can
successfully ping end-to-end over the VPN (from host behind one router
to host behind the remote router).
Now I have created a VTI link like this:
# ip link add vti0 type vti local x.x.x.x remote y.y.y.y ikey 32 okey 32
And I have tried many ways to associate this link with my ipsec SA
without success. And after much searching the Internet I have found very
little help. I found this:
http://www.spinics.net/lists/netdev/msg202714.html - but following that
did not work.
And according to this linux kernel patch:
http://www.spinics.net/lists/netdev/msg253134.html - it seems there
should be no need for additional iptables marking rules, but after
following the instructions there I still could not get it to work.
Any help with this would be greatly appreciated.
Regards,
Brad
More information about the Users
mailing list