[Openswan Users] Cisco IOS VTI (Virtual Tunnel Interface)
Johannes.Herlitz at satlynx.com
Fri Jun 6 05:18:12 EDT 2008
I have spent two days finding a working example for this in forums and
mailing list without success. Maybe one of you has already done this.
Is it possible to terminate a Cisco IOS VTI (Virtual Tunnel Interface)
with openswan? If yes, how would the openswan configuration look like?
crypto isakmp policy 10
crypto isakmp key linux address x.x.x.x
crypto ipsec transform-set MySet esp-3des esp-md5-hmac
crypto ipsec profile VTI
set security-association lifetime seconds 28800
set transform-set MySet
set pfs group5
ip address 192.168.10.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
Openswan configuration on Linux with kernel 2.6.22:
(The "leftsubnet" and "rightsubent" settings do not make sense.)
Phase 1 completes, and even the ESP packets sent by the Cisco are
decrypted correctly. So this means phase 2 also works, somehow.
However, I have no clue about how to create an interface in the Linux
box that I can assign the IP 192.168.10.2/30.
I read something about "KLIPS" being able to create an "ipsec0"
interface, but I also read that one shall not use KLIPS with kernel 2.6
any more. How am I supposed to do this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users