On 29-10-2015 10:51, Paul Wouters wrote:
On Thu, 29 Oct 2015, Tom Harbert wrote:
I am looking at migrating from Strongswan to libreswan on an Ubuntu
14.04 system.
# dpkg -l | grep libreswan
ii libreswan 1:3.14-1
amd64 Internet Key
Exchange daemon
Is it possible to implement IPSec over a virtual tunnel interfaces
(VTI) ? In strongswan, to do this a
mark is set under the connection profile (mark=x) and this corresponds
to the tunnel interface key:
$ ip link add $INTERFACE type vti local $LOCAL_IP remote $REMOTE_IP
key $KEY
What is $INTERFACE filled in with? vtixx where xx is the mark?
What is $KEY?
Based on my not-so-fruitful VTI research:
$INTERFACE would be an "arbitrary" name for the tunnel interface to be
created.
$KEY would an "aribitrary" number which is to match with the key
configured in the libreswan/Strongswan configuration (a bit like how
fwmarks can be used to glue iptables and tc together).
AWS require VTI as opposed to GRE tunnels.
I'm happy to write a patch to support this, but I'm not sure yet I fully
understand the setup.
If only there'd be some decent documentation on VTI support in linux
indeed :-(
Regards,
Ruben
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
