[strongSwan] VTI Interface without virtual IPs

Noel Kuntze noel at familie-kuntze.de
Wed Mar 29 20:57:54 CEST 2017


On 29.03.2017 20:39, Berlakovich Felix (OeRK-W) wrote:
> Hi!
> 
>>> There are no tunnel ip addresses in use and configuring one with
>> leftsourceip breaks the connection. I would like to have a VTI interface
>> representing the tunnel. This would simplify packet capture and iptables
>> configuration. However, all the examples I could find configured the VTI
>> interface with local and remote IP address. Is my intended configuration
>> even possible?
>>
>> Yes, you don't need to use any virtual IPs with tunnel interfaces. In fact, you
>> shouldn't manage the interfaces using the IKE daemon at all. Just create the
>> device (and maybe assign addresses and routes for it) when the network is
>> initialized, then start charon and use auto=route.
> Could you give me an example of how to create such an address-less tunnel interface? When I try to create one without addresses the following happens:

I was talking about "virtual" IPs. What's this use case? The kernel uses the local and remote IP addresses
of the VTI to figure out the SAs and SPs. You need to set the local address in any case.
You were using "leftsourceip", which is used for requesting virtual IP addresses from the remote peer.

Just set the local and remote address of the VTI to your local and the peer's IP. That's it.
If the remote peer's IP is dynamic, use 0.0.0.0. For more information, read the wiki article about route based VPNs[1].

>>>  This would simplify packet capture and iptables configuration.
>> This is a moot point, because it's not really difficult.
> You are right, it is not really difficult. However, for some having a tunnel interface to work with seems to be easier ;).

Take the 10 minutes to understand how to dump traffic in the different iptables chains and tables and how to firewall
and you save yourself the headache of VTIs, restrictions of route based tunneling and the inflexibility of this.

AFAIK, the only valid use case for VTIs is to build dynamic routing on top.

PS: Please make sure you always send the email to the list, too.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170329/bca407c8/attachment.sig>


More information about the Users mailing list