On Wed, 6 Jul 2016, Xinwei Hong wrote:
I'm trying to play around VTI support. I have the following conf in /etc/ipsec.conf
# route-based VPN requires marking and an interface mark=5/0xffffffff vti-interface=vti01 # do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel vti-routing=no
You can also use vti-shared=no so the device is also deleted automatically when the tunnel goes down.
Do we need anything else in the ipsec.conf file such as: config setup protostack=netkey interfaces="vti01=eth1" plutodebug=all
No. the interfaces= line is used for KLIPS only and should not be used for NETKEY/XFRM.
Note that I want to have a route-based VPN via netkey/pluto. I have setup /etc/ipsec.secrets to have PSK on both ends. If I run "ipsec start" I got: Redirecting to: start ipsec start: Job failed to start So, I should not start ipsec that way?
That should work.
If I run: ipsec pluto --stderrlog --config /etc/ipsec.conf I got: both ends looks fine. "Ipsec status" gets the following:
000 Total IPsec connections: loaded 1, active 0
It is loaded but not initiated. Try ipsec auto --up routed-vpn and see if you get an error?
what is the ip_vti0 here?
It's a kernel module thingy which you can ignore. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
