Hi,
A lot of people have been asking us about VTI support for route-based VPN. We have an initial developer release ready to test that feature. Additionally, this VTI feature allows you to have an ipsec0 interface like KLIPS would give you, where you can run tcpdump and iptables on the "clear" interface. I wrote up a wiki page explaining the feature and how to configure it: https://libreswan.org/wiki/Route-based_VPN_using_VTI You can test this feature with libreswan-3.18dr2 or later: https://download.libreswan.org/development/ We are really interested in feedback, especially for current KLIPS users. Is this feature good enough for you to replace KLIPS' ipsec0 with a VTI based ipsec0 or not? If not, what support is missing? Another exciting new feature is NAT support for Opportunistic Encryption that can handle IP address conflicts. We will be updating our OE test infrastructure and documentation soon. Below follows the current changelog compared against 3.17. Paul v3.18 (unreleased) * XFRM: Support for NAT OE Client Address Translation (leftcat=) [Antony] * XFRM: Support for VTI using vti-interface= and vti-routing= [Paul/Tuomo] * KLIPS: Fix for /proc/net/pf_key oops on < 4.4 [Erik Andersson] * pluto: Fix use of ikev2_cert_req_fields [Lubomir Rintel] * pluto: Extend mark= support for mark-in= and mark-out= [Paul] * pluto: Add systemd watchdog support via USE_SYSTEMD_WATCHDOG [Matt/Paul] * addconn: Find peer IP address when resolving default route [Daniel M. Weeks] * building: the make variable NSSLIBS was renamed to NSS_LDFLAGS _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
