ip tunnel add vti mode vti
https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&tn=baidu&wd=ip%20tunnel%20add%20vti%20mode%20vti&oq=ip%2520tunnel%2520add%2520vti28%2520mode%2520vti&rsv_pq=bfd6e7bd0000a4da&rsv_t=2df0N0ARqAdvSNi6f3e1JSuWKlSZy4RIAoaHk44HmFcIuKUfxQqHK6YuOJM&rqlang=cn&rsv_enter=0&inputT=7791&rsv_sug3=21&rsv_sug4=9431&rsv_sug=1
https://end.re/tutorial/etp001-vti-tunnel-interface-with-strongswan/
I successfully managed to get Linux VTI (Virtual Tunnel Interface) working with strongSwan. By using VTI it is no longer needed to rely on the routing policy database, making understanding and maintaining routes easier. Also with VTI you can see the cleartext traffic on the VTI interface itself. It was confusing to see actual tunnel traffic before using tcpdump using the standard policy database setup. (There are ulog/nflog hacks to see cleartext traffic in both direction though, similar to BSD pflog.)
With policy database strongSwan installs its learned policy routes to a separate routing table having preference over the main routing table. strongSwan does not support native VTI setup so a <left|right>updown script is needed to setup the tunnel this way.
So far the /usr/local/sbin/ipsec-notify.sh file looks like this:
#!/bin/bash set -o nounset set -o errexit VTI_IF="vti${PLUTO_UNIQUEID}" case "${PLUTO_VERB}" in up-client) ip tunnel add "${VTI_IF}" mode vti \ local "${PLUTO_ME}" remote "${PLUTO_PEER}" \ okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}" ip link set "${VTI_IF}" up ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}" ip route add <tunneled-network> dev "${VTI_IF}" sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1" ;; down-client) ip tunnel del "${VTI_IF}" ;; esacand the relevant part of /etc/ipsec.conf looks like this (without authentication method details):
conn <vpngw> leftupdown=/usr/local/sbin/ipsec-notify.sh left=%defaultroute leftsourceip=%config4,%config6 rightsubnet=0.0.0.0/0,::/0 right=<vpngw_ip> rightid=<vpngw_id> auto=route mark=2
In /etc/strongswan.d/charon.conf uncomment install_routes and install_virtual_ipproperties and change their value to no:
# Install routes into a separate routing table for established IPSec tunnels. install_routes = no # Install virtual IP addresses. install_virtual_ip = no
Update
Thermi has turned this blog post and other related informations into a strongSwan wiki entry. Please be sure to check that out too.
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/646.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
微信支付宝扫一扫,打赏作者吧~休息一下~~
官码2024000195号
萌ICP备20248119号
