> > Hi! > > > >>> There are no tunnel ip addresses in use and configuring one with > >> leftsourceip breaks the connection. I would like to have a VTI > >> interface representing the tunnel. This would simplify packet capture > >> and iptables configuration. However, all the examples I could find > >> configured the VTI interface with local and remote IP address. Is my > >> intended configuration even possible? > >> > >> Yes, you don't need to use any virtual IPs with tunnel interfaces. In > >> fact, you shouldn't manage the interfaces using the IKE daemon at > >> all. Just create the device (and maybe assign addresses and routes > >> for it) when the network is initialized, then start charon and use > auto=route. > > Could you give me an example of how to create such an address-less > tunnel interface? When I try to create one without addresses the following > happens: > > I was talking about "virtual" IPs. What's this use case? The kernel uses the > local and remote IP addresses of the VTI to figure out the SAs and SPs. You > need to set the local address in any case. > You were using "leftsourceip", which is used for requesting virtual IP > addresses from the remote peer. > > Just set the local and remote address of the VTI to your local and the peer's > IP. That's it. > If the remote peer's IP is dynamic, use 0.0.0.0. For more information, read > the wiki article about route based VPNs[1].
Thanks for the clarification! I already read the article, but with your explanation I seem to finally understand it :). > >>> This would simplify packet capture and iptables configuration. > >> This is a moot point, because it's not really difficult. > > You are right, it is not really difficult. However, for some having a tunnel > interface to work with seems to be easier ;). > > Take the 10 minutes to understand how to dump traffic in the different > iptables chains and tables and how to firewall and you save yourself the > headache of VTIs, restrictions of route based tunneling and the inflexibility > of > this. > > AFAIK, the only valid use case for VTIs is to build dynamic routing on top. It was meant as a convenience for not so network-aware colleagues, but the more I think about it the less intuitive it is anyway. Thanks for the hint! > PS: Please make sure you always send the email to the list, too. Sorry for the inconvenience! Best regards Felix _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
