[Openswan Users] Cisco IOS VTI (Virtual Tunnel Interface)

Johannes Herlitz Johannes.Herlitz at satlynx.com
Fri Jun 6 05:18:12 EDT 2008



I have spent two days finding a working example for this in forums and
mailing list without success. Maybe one of you has already done this.


Is it possible to terminate a Cisco IOS VTI (Virtual Tunnel Interface)
with openswan? If yes, how would the openswan configuration look like?



Cisco configuration:


crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 5

 lifetime 28800


crypto isakmp key linux address x.x.x.x


crypto ipsec transform-set MySet esp-3des esp-md5-hmac 


crypto ipsec profile VTI

 set security-association lifetime seconds 28800

 set transform-set MySet 

 set pfs group5


interface Tunnel0

 ip address

 tunnel source FastEthernet0/0

 tunnel destination x.x.x.x

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile VTI




Openswan configuration on Linux with kernel 2.6.22:


version 2.0


config setup





conn tunnelipsec

        type=           tunnel

        authby=         secret

        left=           x.x.x.x

        leftnexthop=    %defaultroute


        right=          y.y.y.y

        rightnexthop=   %defaultroute


        ike=            3des-md5-modp1536

        esp=            3des-md5

        keyexchange=    ike

        pfs=            yes

        pfsgroup=       modp1536

        auto=           start

        ikelifetime=    8h

        keylife=        8h


include /etc/ipsec.d/examples/no_oe.conf



(The "leftsubnet" and "rightsubent" settings do not make sense.)


Phase 1 completes, and even the ESP packets sent by the Cisco are
decrypted correctly. So this means phase 2 also works, somehow.


However, I have no clue about how to create an interface in the Linux
box that I can assign the IP


I read something about "KLIPS" being able to create an "ipsec0"
interface, but I also read that one shall not use KLIPS with kernel 2.6
any more. How am I supposed to do this?








-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080606/81020d15/attachment-0001.html 

More information about the Users mailing list