[Swan] VTI interface ip tunnel missing endpoint ip
Rav Ya
ravin.ya90 at gmail.com
Sat Apr 25 17:17:40 UTC 2020
Hello All,
Can someone please advise me on the below.
*Overview of my configuration:*
The righsubent and leftsubnet on the Libreswan VPN server are set to
0.0.0.0/0. The plan is to run iBGP over IPSec. On my server-side. I have
set right=%any (For my use case this is unknown). I have enabled the
vti-interface with routing turned off so that I can run iBGP across IPSec.
On my test setup, I have client tunnel endpoint: 10.11.0.1 and server
endpoint 10.11.0.254.
*Observation:* On the Libreswan Server
The tunnel is established as desired:
*0.0.0.0/0===10.11.0.254
<http://0.0.0.0/0===10.11.0.254><10.11.0.254>[@libswan]...10.11.0.1[@dummy01]===0.0.0.0/0
<http://0.0.0.0/0>; erouted;*
But the VTI (IP-IP Interface) configured by Libreswan does not define the
client tunnel endpoint.
*ipsec01 at NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
mode DEFAULT group default qlen 1000 link/ipip 10.11.0.254 brd 0.0.0.0*
*Questions:*
In my knowledge we should read the endpoint IP (10.11.0.1) and use it for
configuring the IP tunnel. Is my understanding correct? or am I missing
something?
This works just fine for a single tunnel but when I have multiple tunnels
with individual VTI interface all set to link/ipip 10.11.0.254 brd 0.0.0.0
the ESP packets get dropped. The ESP packets are seen on the outer
interface but they don't get routed to the respective VTI interface and are
dropped.
Will switching to route based XFRMi (ipsec-interface) help in this case?
Regards,
-Rav ya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200425/420a7ed9/attachment.html>
More information about the Swan
mailing list