# IPsec VTI tunnel

## Dorian

Hi all,

I have a problem with setting IPSec tunnel between Gentoo host and Cisco device.

I always used ipsec-tools (racoon daemon) for this purpose. The configuration was pretty simple and worked fine with Cisco devices.

Unfortunately for some devices Cisco 'improved' they protocol to VTI IPsec (aka IPSec with Virtual Tunnel Interface).

And currently I am stuck.

I need to connect to the new Cisco device with VTI IPSec but I do no know what way to configure VTI IPsec on Gentoo.

I've found here information that for kernels 3.6 VTI is supported.

I prepared new machine with the most recent Gentoo (kernel v 3.6.11)  and ... don't know what next.

Is anybody who can help me? Which tools should I use? 

Maybe some config samples ?

----------

## Veovis

Hi,

you need a very recent version of iproute2 which will allow you to mount vti tunnels.

See here for an exemple of use (I didnt' test myself): http://www.spinics.net/lists/netdev/msg200673.html

iproute 3.3 is too old, but the latest stable version in my portage.

You may try to keyword the package and test an more recent version.

----------

## Dorian

Thanks a lot for reply.

I have  iproute2-3.3.0 installed. Looks like the 'mode vti' is supported with the ip command.

I have the vti kernel module compiled also.

I've read a lot web content  posted mainly by Saurabh Mohan. He seems to be an author of the iproute2 patch and vti kernel module as well.

The doubt I found is the ' ikey' option shown in many examples which is very poorly documented.

From this post it looks like 'ikey' is in a relation with 'xmark 0xf/0xffffffff' but I do not understand why (according to the mentioned post) I "need the iptables rule for ingress esp and udp-4500 packets".

Is it really required? What for? Maybe it is required for strongswan only?  (I am using raccoon).

Or maybe it is required only if two ipsec-vti tunnels between same hosts are created? (On the other hand what could be the aim to have two ipsec tunnels between same hosts?)

I assume that ipsec-vti works in the same way as GRE inside the ipsec so no iptables marking is required at all. Am I right?  If not - why?

And finally:

I've learned ip command at the time the Rusty's LARTC documentation has been created so my information are really outdated.

Where could I get detailed description of iproute2 parameters?

I cannot find the 'modern-day' source of information concerning ip command.

The ip .... help output is very poor. It is quite enough as a syntax remainder but not as a description of the option's meaning.

Any advice?

----------

## Veovis

Hi Dorian,

With iproute2-3.3.0 I get an error when I try to use mode vti tunnel like this (ip tunnel add test mode vti)

With iproute2-3.7.0, the same command output nothing.

In both case, man pages are not updated... and I'm stuck

If your reference is right, so it seems vti mode is an hacky thing to show a tunnel for marked packets.

I dont' understand either the need for the PREROUTING rule, but I noticed that 15 = 0xf, and the ipsec conf mention two lines mark_in and mark_out which may be the ikey needed for the tunnel to work.

----------

## Veovis

http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

mark = <value>[/<mask>]

sets an XFRM mark in the inbound and outbound IPsec SAs and policies. If the mask is missing then

a default mask of 0xffffffff is assumed.

----------

## OPelerin

Did you ever fixed this one? I'm trying with strongswan. I've encryption and decryption and I do see the traffic on my vti0 [ tcpdump]. When I strace a process I get 

sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("10.0.0.2")}, msg_iov(1)=[{"\10\0V\rZ\17\0\1W\232\222T\0\0\0\0\236 \1\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_IP, cmsg_type=, ...}, msg_flags=0}, 0) = 64

recvmsg(3, 0x7fff569f1870, 0)           = -1 EAGAIN (Resource temporarily unavailable)

----------

## salahx

It works for me. I don;t have a Cisco router, so I had to use a Linux server. The current version (as of this posting, 3.8.0) of iproute2 does not work properly, but the unstable version., (As of this posting, 3.17.0) works just fine   Let our endpoint be 192.168.122.70 (the server) and 192.168.122.1 (the client):

Client side: 

```

conn vti-client

        type=tunnel

        left=192.168.122.1

        leftsubnet=10.48.58.0/30

        leftauth=secret

        right=192.168.122.70

        rightsubnet=10.48.58.0/24

        rightauth=secret

        auto=add

        mark=15

```

```

ip tunnel add vti1 mode vti remote 192.168.122.70 local 192.168.122.1 key 15

ip addr add 10.48.58.1/30 dev vti1

```

Server side:

```

conn vti-server

        type=tunnel

        left=192.168.122.70

        leftsubnet=10.48.58.0/30

        leftauth=secret

        right=192.168.122.1

        rightsubnet=10.48.58.0/30

        rightauth=secret

        auto=add

        mark=15

```

```

ip tunnel add vti1 mode vti remote 192.168.122.1 local 192.168.122.70 key 15

ip addr add 10.48.58.2/30 dev vti1

```

And it works - can ping, ssh can cross the vti1 link.Last edited by salahx on Wed Jan 14, 2015 4:33 am; edited 1 time in total

----------

## OPelerin

Yeah at the end it has been working for me too. I had to disable the route lookup in the route table 220 to make it fully working  and disabling RPF checks for the vti interface

----------

