[Solved] How to create VTI interface for IPsec Site-To-Site in OpenWrt?

I have successfully established IPsec Site-To-Site VPN. Now I am unable to create a VTI interface for the same.
Here is my ipsec statusall output :

Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.171, x86_64):
  uptime: 13 minutes, since Jun 28 11:03:35 2020
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
to-secondary:  IKEv2
to-secondary:   local:  uses pre-shared key authentication
to-secondary:   remote: [TestSST] uses pre-shared key authentication
to-secondary:   child: === TUNNEL
Security Associations (1 up, 0 connecting):
to-secondary[1]: ESTABLISHED 13 minutes ago,[]...[TestSST]
to-secondary[1]: IKEv2 SPIs: 4a8a064ad505b70c_i* aaa24c3b1e1a061a_r, pre-shared key reauthentication in 23 hours
to-secondary[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
to-secondary{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c72edcb1_i c2721932_o
to-secondary{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 11 hours
to-secondary{1}: ===

What commands do you run to create your VTI interface and what fails for you?

1 Like

i followed this link : https://jeffchiu.wordpress.com/2017/06/20/kb-connecting-openwrtlede-router-to-azure-virtual-network-gateway-ikev2/

My understanding is that after everything in the link you followed has been set up, they have a working VTI interface for their IPSec IKEv2 setup.

You don't seem to have an identical setup to them since at least the rightside in your case is

So, what doesn't work for you?

Is there a command that fails?
Is the interface not coming up?
Is the routing not working? -> how can you see it isn't?

1 Like

I have successfully established VTI with IPsec IKEv2 but packets are only received but not transmitting
here are the related snaps

Do you see these packets on your wan interface? then on the server you're pinging and the same for the reply leg? then on the wan interface on the way back?

You can track your packets and identify which leg is failing and therefore which part of your configuration is incorrect.

Otherwise, I can't tell you much more unless you share your configuration and the commands you ran to get to where you are. (The same set as what is in the article you referred to - hide passwords if needed)

1 Like

Here are the config files and commands you need to refer @VincentR

ipsec.conf file

# ipsec.conf - strongSwan IPsec configuration file
config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

conn to-secondary

        leftikeport = 4500
        rightikeport = 4500
strongswan.conf file

charon {
        load_modular = yes
        install_routes = no
        install_virtual_ip = no

        plugins {
                include strongswan.d/charon/*.conf

Commands used to create vti and do routing

ip tunnel add vti1 local XX.XX.XX.XX remote mode vti key 42

sysctl -w net.ipv4.conf.vti1.disable_policy=1

ip link set vti1 up
ip route add dev vti1
1 Like

@Karan is my partner @VincentR please reply

In the ip tunnel command, I think the remote is incorrect, it should be the gateway IP from you right config (rather than
Also make sure that your right network is in fact as per the ip route add (most likely the case, it's just been XX-ed). The previous could mean that the remote would be something like (if your gateway if on .1 ).

After that, you'll need to track the packets on the wan interface and then on the machine that you are pinging (and back) and let us know where it breaks down as it may be related to something else like a firewall preventing packets from coming back.

I hope that helps.

1 Like

I also disable RP filter on that VTI interface:

sysctl -w net.ipv4.conf.vti1.rp_filter=0

Check your own sysctl values and where they differ from the article you used, correct them if needed (ip_forward, accept_redirects, send_redirects)

1 Like

All parameters have been checked, everything is working perfectly, except the vti . If you have any documentation or reference links for vti which work 100%, then let us know, it would be of great help! thank you in advance

1 Like

The thing is that the article you are referencing works "100%" and so does vti with IPSec on my own routers.

I believe something in your setup is incorrect (marking, routing, firewall...) and you will need to troubleshoot it further to find it.
You have not answered my questions about tracing the ping packets and you are not providing me with feedback on the changes I suggested (like the remote setting), so there is not much I can work with here.

On a side note regarding documentation, If I remember correctly, I got most of my information from the strongswan documentation and mailing list:

1 Like

Thank you so much for your guidance, your rp filter command did help us and we added it to our sysctl configuration as well.We referred to the same links you have mentioned and they were really helpful.

As of now we could establish VTI and bind it with our IPSec tunnel and everything looks fine.
If we face any issues in future, shall seek your help

Thank you once again, your inputs were really helpful!

1 Like

Great! glad you got sorted, happy to help.

Karan can you please post your OpenWrt configuration for VTI here?

I was not able to create a VTI interface and get TX packets.

1 Like

Guys me and @Karan will upload a video....soon

A video is nice, but an instruction in the forum to copy would be nicer.


We will share instructions also in a few days time, thanks for your patience!

1 Like

Guys here is the solutioning video.

Do share your comments. Guys you can download the document from the video description

Giving back to the Open Source community by creating solutioning video of IPsec.
special thanks to @VincentR


I do not believe that your VTI interface works.

  1. In Network->Firewall->General Settings-> Forward is set to accept

  2. I only believe you when everything goes through the VTI interface. Can you activate Kill Switch?

  3. I can't see TX packets in LuCI (Network-> Interfaces)