ip tunnel add vti mode vti
https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&tn=baidu&wd=ip%20tunnel%20add%20vti%20mode%20vti&oq=ip%2520tunnel%2520add%2520vti28%2520mode%2520vti&rsv_pq=bfd6e7bd0000a4da&rsv_t=2df0N0ARqAdvSNi6f3e1JSuWKlSZy4RIAoaHk44HmFcIuKUfxQqHK6YuOJM&rqlang=cn&rsv_enter=0&inputT=7791&rsv_sug3=21&rsv_sug4=9431&rsv_sug=1
https://end.re/tutorial/etp001-vti-tunnel-interface-with-strongswan/
I successfully managed to get Linux VTI (Virtual Tunnel Interface) working with strongSwan. By using VTI it is no longer needed to rely on the routing policy database, making understanding and maintaining routes easier. Also with VTI you can see the cleartext traffic on the VTI interface itself. It was confusing to see actual tunnel traffic before using tcpdump
using the standard policy database setup. (There are ulog
/nflog
hacks to see cleartext traffic in both direction though, similar to BSD pflog
.)
With policy database strongSwan installs its learned policy routes to a separate routing table having preference over the main routing table. strongSwan does not support native VTI setup so a <left|right>updown
script is needed to setup the tunnel this way.
So far the /usr/local/sbin/ipsec-notify.sh
file looks like this:
#!/bin/bash set -o nounset set -o errexit VTI_IF="vti${PLUTO_UNIQUEID}" case "${PLUTO_VERB}" in up-client) ip tunnel add "${VTI_IF}" mode vti \ local "${PLUTO_ME}" remote "${PLUTO_PEER}" \ okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}" ip link set "${VTI_IF}" up ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}" ip route add <tunneled-network> dev "${VTI_IF}" sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1" ;; down-client) ip tunnel del "${VTI_IF}" ;; esac
and the relevant part of /etc/ipsec.conf
looks like this (without authentication method details):
conn <vpngw> leftupdown=/usr/local/sbin/ipsec-notify.sh left=%defaultroute leftsourceip=%config4,%config6 rightsubnet=0.0.0.0/0,::/0 right=<vpngw_ip> rightid=<vpngw_id> auto=route mark=2
In /etc/strongswan.d/charon.conf
uncomment install_routes
and install_virtual_ip
properties and change their value to no
:
# Install routes into a separate routing table for established IPSec tunnels. install_routes = no # Install virtual IP addresses. install_virtual_ip = no
Update
Thermi has turned this blog post and other related informations into a strongSwan wiki entry. Please be sure to check that out too.
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/646.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下~~