[strongSwan] Using StrongSwan with VTI devices
bjohnson at ecessa.com
Tue Sep 2 22:18:03 CEST 2014
No, I get traffic in both directions over the vti interface. Did you
create the vti link with the 'key' parameter, or okey/ikey? Look at the
xfrm SA and policies ('ip x s' and 'ip x p') and you should see the
proper mark value in all directions.
On 09/02/2014 03:05 PM, Andre Valentin wrote:
> Hi Brad,
> I now can acknowledge it's working. But the funny thing is, that I
> have no RX traffic on vti1 ???
> 5: vti1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UNKNOWN mode DEFAULT group default
> link/ipip 192.168.4.58 peer 192.168.4.59
> RX: bytes packets errors dropped overrun mcast
> 0 0 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 153048 1822 28 0 28 0
> Please ignore the errors...
> If I run tcpdump the packets do not arrive on the vti1 interface. It
> is just
> working for TX packets. Is it in your case too? The decrypted packets
> still come in over the WAN if.
> Kind regards,
> On 02.09.2014 21:38, Brad Johnson wrote:
>> We set a mark for the SA in ipsec.conf (e.g. 'mark=100') and create a
>> vti link with the same key (e.g. 'key=100'). Then we just add routes
>> to remote subnets over the vti device.
>> On 09/02/2014 01:37 PM, Andre Valentin wrote:
>>> I read your mails about VTI devices. I'am currently experimenting
>>> with it, but without success.
>>> Here is the documentation I followed:
>>> But it does not work. Do you have a hint for me how you have
>>> implemented it? I also added the mailinglist
>>> to document it for others.
>>> Kind regards,
More information about the Users