[strongSwan] Using StrongSwan with VTI devices
Brad Johnson
bjohnson at ecessa.com
Tue Apr 29 15:29:12 CEST 2014
OK, so nobody knows about this. So how about more general help. How do I
configure strongSwan to connect with a Cisco vti vpn?
Regards,
Brad
On 04/25/2014 10:33 AM, Brad Johnson wrote:
> I am trying to get StrongSwan working together with VTI type links or
> tunnels for more flexibility with marking and routing VPN traffic. We
> are running a Gentoo distro with StrongSwan version 5.1.2 and kernel
> 3.10.26. I need to figure out how to properly associate a VTI type
> link with an ipsec SA and policy. I have successfully connected a SA
> with 'mark_in=32' and 'mark_out=32' in the conn section of ipsec.conf,
> and added the proper iptables mangle prerouting rules to mark inbound
> and outbound packets (' -j MARK --set-mark 32'). With that I can
> successfully ping end-to-end over the VPN (from host behind one router
> to host behind the remote router).
> Now I have created a VTI link like this:
> # ip link add vti0 type vti local x.x.x.x remote y.y.y.y ikey 32 okey 32
>
> And I have tried many ways to associate this link with my ipsec SA
> without success. And after much searching the Internet I have found
> very little help. According to this linux kernel patch:
> http://www.spinics.net/lists/netdev/msg253134.html it seems there
> should be no need for additional iptables marking rules, but after
> following the instructions there I still could not get it to work.
>
> Any help with this would be greatly appreciated.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140429/7741e8ea/attachment.html>
More information about the Users
mailing list