On Tue, 12 Sep 2017, Xinwei Hong wrote:
conn conn_vpn
authby=secret
left=199.x.y.166
right=199.x.y.159
ike=aes256-sha1;modp1024
phase2alg=aes256-sha1;modp1024
ikelifetime=28800s
salifetime=3600s
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
type=tunnel
mark=5/0xffffffff
vti-interface=vti01
vti-routing=no
vti-shared=yes
auto=start
leftvti=10.100.0.1/16
the other end is similar with leftvti=10.200.0.1/16.
The VPN can be established successfully. However, I don't see the leftvti take
effect. I was expecting I can ping 10.100.0.1 from the other end. Is this what
we should
expected? How to correctly config leftvti?
When you are using 0.0.0.0/0 tunnels, it is basically a routing based
tunnel. But since we cannot route 0.0.0.0/0 without imploding the
tunnel, we ask you to do vti-routing=no. But that means you still
need to provide a way for the packets you want to be tunneld to
route into the VTI device.
If you just want a tunnel that covers 10.200.0.0/16 <-> 10.100.0.0/16
then you should use those values as left/rightsubnet and
vti-routing=yes. And if your gateways already have the .1 IP
address, you don't need to add it using leftvti= either.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
