Re: [Swan] libreswan-3.18dr2 with ipsec0 VTI interface and NAT OE support

Fri, 20 May 2016 02:27:13 -0700 

Am 13.05.2016 um 21:52 schrieb Paul Wouters:


Hi,

A lot of people have been asking us about VTI support for route-based
VPN. We have an initial developer release ready to test that
feature. Additionally, this VTI feature allows you to have an ipsec0
interface like KLIPS would give you, where you can run tcpdump and
iptables on the "clear" interface.

I wrote up a wiki page explaining the feature and how to configure it:


https://libreswan.org/wiki/Route-based_VPN_using_VTI 


Hi,

what are the exact requirements?

I've installed dr2 successfully on a Debian Jessie, Openstack 
environment, make deb, but there's no vti01 Interface:


May 20 09:14:58 debian pluto[1484]: NSS DB directory: sql:/etc/ipsec.d
May 20 09:14:58 debian pluto[1484]: NSS initialized
May 20 09:14:58 debian pluto[1484]: libcap-ng support [disabled]
May 20 09:14:58 debian pluto[1484]: FIPS HMAC integrity support [disabled]
May 20 09:14:58 debian pluto[1484]: Linux audit support [disabled]

May 20 09:14:58 debian pluto[1484]: Starting Pluto (Libreswan Version 
3.18dr2 XFRM(netkey) KLIPS USE_FORK USE_PTHREAD_SETSCHEDPRIO NSS DNSSEC 
USE_SYSTEMD_WATCHDOG XAUTH_PAM NETWORKMANAGER CURL(non-NSS) 
LDAP(non-NSS)) pid:1484

May 20 09:14:58 debian pluto[1484]: core dump dir: /var/run/pluto/
May 20 09:14:58 debian pluto[1484]: secrets file: /etc/ipsec.secrets
May 20 09:14:58 debian pluto[1484]: leak-detective disabled
May 20 09:14:58 debian pluto[1484]: NSS crypto [enabled]
May 20 09:14:58 debian pluto[1484]: XAUTH PAM support [enabled]
May 20 09:14:58 debian pluto[1484]: NAT-Traversal support  [enabled]

May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC_SSH: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_SERPENT_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CTR: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_AES_GCM_A: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_AES_GCM_B: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_AES_GCM_C: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating 
DISABLED-OAKLEY_AES_XCBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_CAMELLIA_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
OAKLEY_CAMELLIA_CTR: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_512: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_384: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_256: Ok

May 20 09:14:58 debian pluto[1484]: starting up 1 crypto helpers

May 20 09:14:58 debian pluto[1484]: started thread for crypto helper 0 
(master fd 10)
May 20 09:14:58 debian pluto[1484]: Using Linux XFRM/NETKEY IPsec 
interface code on 3.16.0-4-amd64
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
aes_ccm_8: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
aes_ccm_12: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating 
aes_ccm_16: Ok
May 20 09:14:59 debian pluto[1484]: added connection description 
"v6neighbor-hole-in"
May 20 09:14:59 debian pluto[1484]: added connection description 
"v6neighbor-hole-out"
May 20 09:14:59 debian pluto[1484]: added connection description 
"routed-vpn"

May 20 09:14:59 debian pluto[1484]: listening for IKE messages
May 20 09:14:59 debian pluto[1484]: adding interface eth0/eth0 X:500
May 20 09:14:59 debian pluto[1484]: adding interface eth0/eth0 X:4500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo 127.0.0.1:500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo 127.0.0.1:4500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo ::1:500

May 20 09:14:59 debian pluto[1484]: | setup callback for interface 
lo:500 fd 20
May 20 09:14:59 debian pluto[1484]: | setup callback for interface 
lo:4500 fd 19
May 20 09:14:59 debian pluto[1484]: | setup callback for interface 
lo:500 fd 18
May 20 09:14:59 debian pluto[1484]: | setup callback for interface 
eth0:4500 fd 17
May 20 09:14:59 debian pluto[1484]: | setup callback for interface 
eth0:500 fd 16
May 20 09:14:59 debian pluto[1484]: loading secrets from 
"/etc/ipsec.secrets"
May 20 09:14:59 debian pluto[1484]: reapchild failed with errno=10 No 
child processes


conn routed-vpn
    left=x
    right=y
    authby=secret
    leftsubnet=0.0.0.0/0
    rightsubnet=0.0.0.0/0
    auto=add
    # route-based VPN requires marking and an interface
    mark=5/0xffffffff
    vti-interface=vti01

    # do not setup routing because we don't want to send 0.0.0.0/0 over 
the tunnel

    vti-routing=no


x y : PSK "G4654DFGdfgjhhgsdDEdfghBNjuz"


Best regards
Michael
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to