[Swan] VTI interface ip tunnel missing endpoint ip

Rav Ya ravin.ya90 at gmail.com
Sat Apr 25 17:17:40 UTC 2020

Hello All,

Can someone please advise me on the below.

*Overview of my configuration:*

The righsubent and leftsubnet on the Libreswan VPN server are set to The plan is to run iBGP over IPSec. On my server-side. I have
set right=%any (For my use case this is unknown). I have enabled the
vti-interface with routing turned off so that I can run iBGP across IPSec.

On my test setup, I have client tunnel endpoint: and server

*Observation:* On the Libreswan Server

The tunnel is established as desired:

<>; erouted;*

But the VTI (IP-IP Interface) configured by Libreswan does not define the
client tunnel endpoint.

*ipsec01 at NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
mode DEFAULT group default qlen 1000    link/ipip brd*


In my knowledge we should read the endpoint IP ( and use it for
configuring the IP tunnel. Is my understanding correct? or am I missing

This works just fine for a single tunnel but when I have multiple tunnels
with individual VTI interface all set to  link/ipip brd
the ESP packets get dropped. The ESP packets are seen on the outer
interface but they don't get routed to the respective VTI interface and are

Will switching to route based XFRMi (ipsec-interface) help in this case?


-Rav ya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200425/420a7ed9/attachment.html>

More information about the Swan mailing list