[strongSwan] VTI Interface without virtual IPs

Berlakovich Felix (OeRK-W) Felix.Berlakovich at w.roteskreuz.at
Thu Mar 30 09:05:48 CEST 2017 

> > Hi!
> >
> >>> There are no tunnel ip addresses in use and configuring one with
> >> leftsourceip breaks the connection. I would like to have a VTI
> >> interface representing the tunnel. This would simplify packet capture
> >> and iptables configuration. However, all the examples I could find
> >> configured the VTI interface with local and remote IP address. Is my
> >> intended configuration even possible?
> >>
> >> Yes, you don't need to use any virtual IPs with tunnel interfaces. In
> >> fact, you shouldn't manage the interfaces using the IKE daemon at
> >> all. Just create the device (and maybe assign addresses and routes
> >> for it) when the network is initialized, then start charon and use
> auto=route.
> > Could you give me an example of how to create such an address-less
> tunnel interface? When I try to create one without addresses the following
> happens:
> 
> I was talking about "virtual" IPs. What's this use case? The kernel uses the
> local and remote IP addresses of the VTI to figure out the SAs and SPs. You
> need to set the local address in any case.
> You were using "leftsourceip", which is used for requesting virtual IP
> addresses from the remote peer.
> 
> Just set the local and remote address of the VTI to your local and the peer's
> IP. That's it.
> If the remote peer's IP is dynamic, use 0.0.0.0. For more information, read
> the wiki article about route based VPNs[1].

Thanks for the clarification! I already read the article, but with your explanation I seem to finally understand it :).

> >>>  This would simplify packet capture and iptables configuration.
> >> This is a moot point, because it's not really difficult.
> > You are right, it is not really difficult. However, for some having a tunnel
> interface to work with seems to be easier ;).
> 
> Take the 10 minutes to understand how to dump traffic in the different
> iptables chains and tables and how to firewall and you save yourself the
> headache of VTIs, restrictions of route based tunneling and the inflexibility of
> this.
> 
> AFAIK, the only valid use case for VTIs is to build dynamic routing on top.

It was meant as a convenience for not so network-aware colleagues, but the more I think about it the less intuitive it is anyway. Thanks for the hint!

> PS: Please make sure you always send the email to the list, too.

Sorry for the inconvenience!

Best regards

Felix

More information about the Users mailing list