[strongSwan] Using StrongSwan with VTI devices
Brad Johnson
bjohnson at ecessa.com
Tue Sep 2 22:18:03 CEST 2014
No, I get traffic in both directions over the vti interface. Did you
create the vti link with the 'key' parameter, or okey/ikey? Look at the
xfrm SA and policies ('ip x s' and 'ip x p') and you should see the
proper mark value in all directions.
...Brad
On 09/02/2014 03:05 PM, Andre Valentin wrote:
> Hi Brad,
>
> I now can acknowledge it's working. But the funny thing is, that I
> have no RX traffic on vti1 ???
>
> 5: vti1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UNKNOWN mode DEFAULT group default
> link/ipip 192.168.4.58 peer 192.168.4.59
> RX: bytes packets errors dropped overrun mcast
> 0 0 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 153048 1822 28 0 28 0
>
> Please ignore the errors...
> If I run tcpdump the packets do not arrive on the vti1 interface. It
> is just
> working for TX packets. Is it in your case too? The decrypted packets
> still come in over the WAN if.
>
> Kind regards,
>
> André
>
>
> On 02.09.2014 21:38, Brad Johnson wrote:
>> Hello,
>> We set a mark for the SA in ipsec.conf (e.g. 'mark=100') and create a
>> vti link with the same key (e.g. 'key=100'). Then we just add routes
>> to remote subnets over the vti device.
>>
>> Regards,
>> Brad
>>
>> On 09/02/2014 01:37 PM, Andre Valentin wrote:
>>> Hello!
>>>
>>> I read your mails about VTI devices. I'am currently experimenting
>>> with it, but without success.
>>> Here is the documentation I followed:
>>> https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/net/ipv4/ip_vti.c?h=linux-3.16.y&id=7263a5187f9e9de45fcb51349cf0e031142c19a1
>>>
>>>
>>> But it does not work. Do you have a hint for me how you have
>>> implemented it? I also added the mailinglist
>>> to document it for others.
>>>
>>> Kind regards,
>>>
>>> André
>>>
>>
>
More information about the Users
mailing list