[strongSwan] Using StrongSwan with VTI devices

Brad Johnson bjohnson at ecessa.com
Tue Apr 29 15:29:12 CEST 2014

OK, so nobody knows about this. So how about more general help. How do I 
configure strongSwan to connect with a Cisco vti vpn?


On 04/25/2014 10:33 AM, Brad Johnson wrote:
> I am trying to get StrongSwan working together with VTI type links or 
> tunnels for more flexibility with marking and routing VPN traffic. We 
> are running a Gentoo distro with StrongSwan version 5.1.2 and kernel 
> 3.10.26. I need to figure out how to properly associate a VTI type  
> link with an ipsec SA and policy. I have successfully connected a SA 
> with 'mark_in=32' and 'mark_out=32' in the conn section of ipsec.conf, 
> and added the proper iptables mangle prerouting rules to mark inbound 
> and outbound packets (' -j MARK --set-mark 32'). With that I can 
> successfully ping end-to-end over the VPN (from host behind one router 
> to host behind the remote router).
> Now I have created a VTI link like this:
> # ip link add vti0 type vti local x.x.x.x remote y.y.y.y ikey 32 okey 32
> And I have tried many ways to associate this link with my ipsec SA 
> without success. And after much searching the Internet I have found 
> very little help. According to this linux kernel patch: 
> http://www.spinics.net/lists/netdev/msg253134.html it seems there 
> should be no need for additional iptables marking rules, but after 
> following the instructions there I still could not get it to work.
> Any help with this would be greatly appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140429/7741e8ea/attachment.html>

More information about the Users mailing list