Hi Paul, Many thanks for your reply.
My wish to move from KLIPS (which has to date supported all the functionality needed), has been brought about because libreswan is dropping KLIPS. VTI was documented for libreswan, so I tried it. It works fine for IPv4, but some of my networks are 6 native, and I do have 6in6 ipsec tunnels. I like the ability to have defined interfaces from a firewalling perspective, so I ruled out native netkey many years ago. There seems to be very little documentation about XFRMi, and it appears to be very new, and not a production product as yet. I get the impression that some distro's don't support XFRMi as yet. Correct me if I am, wrong but it looks like you need a kernel version 5x to support XFRMi natively? Unless you patch and re-compile a version 4? Which versions of libreswan support the new XFRMi directives. 3.6.27 did not recognise the following when tested. leftiface-id leftiface-ip leftiface-mark Many thanks -----Original Message----- From: Paul Wouters [mailto:[email protected]] Sent: 15 July 2019 16:02 To: Paul Overton <[email protected]> Cc: [email protected] Subject: Re: [Swan] IPv6 and VTI On Mon, 15 Jul 2019, Paul Overton wrote: > Does the current version of Libreswan support VTI for IPv6 tunnels ? I don't think so? > I am moving a number of servers to the latest version and switching > from KLIPS to Netkey+VTI, and found that one of my IPv6 machines did not > create the VTI interface, it is possible also to do a 6 in 4 tunnel using VTI > as well. You should be moving to XFRMi interfaces. libreswan is working on adding support for that (we have an internal partial branch at the moment) Information about XFRMi: https://lwn.net/Articles/757391/ https://libreswan.org/wiki/XFRM_Interface_Development_Notes https://workshop.linux-ipsec.org/2018/slides/IPSec_workshop_presentation_lrk.pdf VTI has several structural limitations, and it will be fully replaced by XFRMi. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
