Am 13.05.2016 um 21:52 schrieb Paul Wouters:
Hi,
A lot of people have been asking us about VTI support for route-based
VPN. We have an initial developer release ready to test that
feature. Additionally, this VTI feature allows you to have an ipsec0
interface like KLIPS would give you, where you can run tcpdump and
iptables on the "clear" interface.
I wrote up a wiki page explaining the feature and how to configure it:
https://libreswan.org/wiki/Route-based_VPN_using_VTI
Hi,
what are the exact requirements?
I've installed dr2 successfully on a Debian Jessie, Openstack
environment, make deb, but there's no vti01 Interface:
May 20 09:14:58 debian pluto[1484]: NSS DB directory: sql:/etc/ipsec.d
May 20 09:14:58 debian pluto[1484]: NSS initialized
May 20 09:14:58 debian pluto[1484]: libcap-ng support [disabled]
May 20 09:14:58 debian pluto[1484]: FIPS HMAC integrity support [disabled]
May 20 09:14:58 debian pluto[1484]: Linux audit support [disabled]
May 20 09:14:58 debian pluto[1484]: Starting Pluto (Libreswan Version
3.18dr2 XFRM(netkey) KLIPS USE_FORK USE_PTHREAD_SETSCHEDPRIO NSS DNSSEC
USE_SYSTEMD_WATCHDOG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)
LDAP(non-NSS)) pid:1484
May 20 09:14:58 debian pluto[1484]: core dump dir: /var/run/pluto/
May 20 09:14:58 debian pluto[1484]: secrets file: /etc/ipsec.secrets
May 20 09:14:58 debian pluto[1484]: leak-detective disabled
May 20 09:14:58 debian pluto[1484]: NSS crypto [enabled]
May 20 09:14:58 debian pluto[1484]: XAUTH PAM support [enabled]
May 20 09:14:58 debian pluto[1484]: NAT-Traversal support [enabled]
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_AES_CTR: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_AES_GCM_A: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_AES_GCM_B: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_AES_GCM_C: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating
DISABLED-OAKLEY_AES_XCBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_CAMELLIA_CBC: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
OAKLEY_CAMELLIA_CTR: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_384: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok
May 20 09:14:58 debian pluto[1484]: starting up 1 crypto helpers
May 20 09:14:58 debian pluto[1484]: started thread for crypto helper 0
(master fd 10)
May 20 09:14:58 debian pluto[1484]: Using Linux XFRM/NETKEY IPsec
interface code on 3.16.0-4-amd64
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
aes_ccm_12: Ok
May 20 09:14:58 debian pluto[1484]: ike_alg_register_enc(): Activating
aes_ccm_16: Ok
May 20 09:14:59 debian pluto[1484]: added connection description
"v6neighbor-hole-in"
May 20 09:14:59 debian pluto[1484]: added connection description
"v6neighbor-hole-out"
May 20 09:14:59 debian pluto[1484]: added connection description
"routed-vpn"
May 20 09:14:59 debian pluto[1484]: listening for IKE messages
May 20 09:14:59 debian pluto[1484]: adding interface eth0/eth0 X:500
May 20 09:14:59 debian pluto[1484]: adding interface eth0/eth0 X:4500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo 127.0.0.1:500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo 127.0.0.1:4500
May 20 09:14:59 debian pluto[1484]: adding interface lo/lo ::1:500
May 20 09:14:59 debian pluto[1484]: | setup callback for interface
lo:500 fd 20
May 20 09:14:59 debian pluto[1484]: | setup callback for interface
lo:4500 fd 19
May 20 09:14:59 debian pluto[1484]: | setup callback for interface
lo:500 fd 18
May 20 09:14:59 debian pluto[1484]: | setup callback for interface
eth0:4500 fd 17
May 20 09:14:59 debian pluto[1484]: | setup callback for interface
eth0:500 fd 16
May 20 09:14:59 debian pluto[1484]: loading secrets from
"/etc/ipsec.secrets"
May 20 09:14:59 debian pluto[1484]: reapchild failed with errno=10 No
child processes
conn routed-vpn
left=x
right=y
authby=secret
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
auto=add
# route-based VPN requires marking and an interface
mark=5/0xffffffff
vti-interface=vti01
# do not setup routing because we don't want to send 0.0.0.0/0 over
the tunnel
vti-routing=no
x y : PSK "G4654DFGdfgjhhgsdDEdfghBNjuz"
Best regards
Michael
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan