[strongSwan] Strongswan using VTI

Olivier PELERIN olivier_pelerin at hotmail.com
Wed Dec 17 12:08:22 CET 2014

Dear Strongswan alias,

I'm trying a VTI config between a linux box and a cisco router. 

I've created a VTI interface on my linux

ip tunnel add vti0 mode vti local remote okey 32 ikey 32
 ip link set vti0 up
 ip addr add remote dev vti0

conn VTI

manowar python # ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2rc1, Linux 3.18.1-gentoo, x86_64):
  uptime: 114 seconds, since Dec 17 11:53:47 2014
  malloc: sbrk 2416640, mmap 0, used 373840, free 2042800
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon ldap aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
         VTI:  %any...  IKEv2
         VTI:   local:  [] uses pre-shared key authentication
         VTI:   remote: [] uses pre-shared key authentication
         VTI:   child: === TUNNEL
Routed Connections:
         VTI{1}:  ROUTED, TUNNEL
         VTI{1}: === 
Security Associations (1 up, 0 connecting):
         VTI[1]: ESTABLISHED 109 seconds ago,[]...[]
         VTI[1]: IKEv2 SPIs: e1e9a005055323ab_i* 78c7cc9d34a5886f_r, pre-shared key reauthentication in 2 hours
         VTI[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
         VTI{1}:  INSTALLED, TUNNEL, ESP SPIs: c8031e20_i 37b2a5a2_o
         VTI{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 1848 bytes_o (22 pkts, 8s ago), rekeying in 44 minutes
         VTI{1}: === 

I do have ESP in 

manowar python #  tcpdump -nNi netio0
error : ret -1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on netio0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:07:57.840726 IP > ESP(spi=0x37b2a5a2,seq=0x2bf), length 132
12:07:57.841405 IP > ESP(spi=0xc8031e20,seq=0x2bf), length 132
12:07:58.840971 IP > ESP(spi=0x37b2a5a2,seq=0x2c0), length 132
12:07:58.841336 IP > ESP(spi=0xc8031e20,seq=0x2c0), length 132

But it seems not be decapsulated by the kernel.

Any ideas why?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141217/ba6c72e9/attachment.html>

More information about the Users mailing list