Re: [Swan] Host-to-host tunnel and VTI

2018-03-14 Thread Paul Wouters 

On Tue, 13 Mar 2018, Erik Andersson wrote:

Ok thanks! Trying to replace klips with netkey. I experience some weird klips 
kernel crashes on kernel 4.14 (haven't looked into it in detail). Also, klips 
seems not to be able to "fully" hook up to the kernel crypto API in kernel 
version 4.14.


Yes, KLIPS really only supports 3des/aes and sha1/sha2/md5. It is best
to switch to XFRM. We are planning to obsolete KLIPS as soon as VTI or
XFRMI interfaces are fully supported (including host-to-host IPsec SA's,
one interface for all roadwarriors, and properly automatically
adding/removing of interfaces.

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Host-to-host tunnel and VTI

2018-03-13 Thread Erik Andersson 



On 03/07/2018 10:26 AM, Paul Wouters wrote:

On Mon, 5 Mar 2018, Tuomo Soini wrote:


I'm running Fedora 26 with libreswan 3.23 and trying to setup a
host-to-host tunnel using the VTI functionality.



Is this setup/configuration even possible? Maybe I'm missing some
fundamentals here :)


Host-host is not possible with VTI.


I've successfully got VTI to work with a subnet-to-subnet
configuration (left/rightsubnet).


Yes, that's what VTI is designed for.


Indeed. I'm hoping the new xfrmi interface type being considered won't
have this problem.

Paul
Ok thanks! Trying to replace klips with netkey. I experience some weird 
klips kernel crashes on kernel 4.14 (haven't looked into it in detail). 
Also, klips seems not to be able to "fully" hook up to the kernel crypto 
API in kernel version 4.14.


Regards,

Erik

___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan


___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Host-to-host tunnel and VTI

2018-03-07 Thread Paul Wouters 

On Mon, 5 Mar 2018, Tuomo Soini wrote:


I'm running Fedora 26 with libreswan 3.23 and trying to setup a
host-to-host tunnel using the VTI functionality.



Is this setup/configuration even possible? Maybe I'm missing some
fundamentals here :)


Host-host is not possible with VTI.


I've successfully got VTI to work with a subnet-to-subnet
configuration (left/rightsubnet).


Yes, that's what VTI is designed for.


Indeed. I'm hoping the new xfrmi interface type being considered won't
have this problem.

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Host-to-host tunnel and VTI

2018-03-06 Thread Erik Andersson 



On 03/05/2018 10:06 PM, Tuomo Soini wrote:

On Mon, 5 Mar 2018 18:34:17 +0100
Erik Andersson  wrote:


Hi,

I'm running Fedora 26 with libreswan 3.23 and trying to setup a
host-to-host tunnel using the VTI functionality.





Is this setup/configuration even possible? Maybe I'm missing some
fundamentals here :)


Host-host is not possible with VTI.

Ah ok. Thanks for the help Tumo!

Regards,

Erik



I've successfully got VTI to work with a subnet-to-subnet
configuration (left/rightsubnet).


Yes, that's what VTI is designed for.


___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Host-to-host tunnel and VTI

2018-03-05 Thread Tuomo Soini 
On Mon, 5 Mar 2018 18:34:17 +0100
Erik Andersson  wrote:

> Hi,
> 
> I'm running Fedora 26 with libreswan 3.23 and trying to setup a 
> host-to-host tunnel using the VTI functionality.
> 


> Is this setup/configuration even possible? Maybe I'm missing some 
> fundamentals here :)

Host-host is not possible with VTI.

> I've successfully got VTI to work with a subnet-to-subnet
> configuration (left/rightsubnet).

Yes, that's what VTI is designed for.

-- 
Tuomo Soini 
Foobar Linux services
+358 40 5240030
Foobar Oy 
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan