# IpSec Virtual Tunneling Interface



## Phishfry (Dec 11, 2016)

This recent addition sounds like a nice feature.

https://svnweb.freebsd.org/base?view=revision&revision=309115

Some backround:
https://supportforums.cisco.com/blog/149426/advantages-vti-configuration-ipsec-tunnels


----------



## Crest (Dec 12, 2016)

Nice. Which IKE daemons can setup the VTI SAs?


----------



## Phishfry (Dec 12, 2016)

I would think racoon2 // charon.


----------



## deadElk (Dec 13, 2016)

1) THANX! it is great!
2) is it available for 11.0-RELEASE?
3) is it available as a ready to compile kernel interface module?
4) is it correct strongswan setup:
config setup
 charondebug=0

conn %default
 ikelifetime=1d
 lifetime=1h
 margintime=1m
 keyingtries=%forever
 authby=psk
 type=tunnel
 keyexchange=ikev2
 mobike=no
 dpdaction=restart
 auto=start
 dpddelay=10s
 esp=aes128-sha256-modp1024!
 ike=aes128-sha256-modp1024!
 forceencaps=no
 fragmentation=yes
 leftsubnet=0.0.0.0/0
 rightsubnet=0.0.0.0/0

conn TEST
 left=local.example.org
 leftid=fqdn:TEST
 right=remote.example.org
 rightid=fqdn:TEST
 reqid=XXX


----------



## Phishfry (Dec 13, 2016)

deadElk said:


> 2) is it available for 11.0-RELEASE?


I don't think so. Usually new features go to -CURRENT first then merged from current.
Backporting does occur some.

Here is the mailing list post with some more details.
https://lists.freebsd.org/pipermail/freebsd-current/2016-December/064050.html


----------



## Phishfry (Dec 13, 2016)

Looks like racoon
https://reviews.freebsd.org/P112

Did you notice the patched Racoon he linked to in the mailing list.


----------



## deadElk (Dec 14, 2016)

strongswan can do REQID/MARK-in/out - staff too and it's working on penguins (ip tunnel mode vti) 

compiling with 11.0-RELEASE failed


----------



## Phishfry (Dec 14, 2016)

The mailing list post is in freebsd-current. I would not expect it to work on stable unless backported. It looks experimental and the poster has been incrementally bringing the capability online.


----------



## deadElk (Dec 14, 2016)

yes, i understand, thanx anyway! 

this module is very necessary.


----------



## Crest (Dec 15, 2016)

If both endpoints support it you can already combine IPsec in transport mode with GRE to get a tunnel interface suitable for dynamic routing at the cost of a 4 byte GRE header. The performance improvements alone are very useful and getting rid of the GRE header is the icing on the cake.


----------



## deadElk (Dec 15, 2016)

GRE on FreeBSD and also in JunOS - very buggy thing 
first of all MTU cannot be set to 1500 
it's strange 1414 bytes maximum even if 'ifconfig' says 1500


----------

