[Swan] VTI interface ip tunnel missing endpoint ip

Paul Wouters paul at nohats.ca
Sat Apr 25 19:35:25 UTC 2020

Multiple VTI tunnels with right=%any is not possible. It is a design limitation of VTI and why XFRMi was created.


Sent from my iPhone

> On Apr 25, 2020, at 13:17, Rav Ya <ravin.ya90 at gmail.com> wrote:
> Hello All,
> Can someone please advise me on the below.
> Overview of my configuration:
> The righsubent and leftsubnet on the Libreswan VPN server are set to The plan is to run iBGP over IPSec. On my server-side. I have set right=%any (For my use case this is unknown). I have enabled the vti-interface with routing turned off so that I can run iBGP across IPSec.
> On my test setup, I have client tunnel endpoint: and server endpoint
> Observation: On the Libreswan Server
> The tunnel is established as desired:
><>[@libswan]...[@dummy01]===; erouted;
> But the VTI (IP-IP Interface) configured by Libreswan does not define the client tunnel endpoint.
> ipsec01 at NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
>     link/ipip brd
> Questions:
> In my knowledge we should read the endpoint IP ( and use it for configuring the IP tunnel. Is my understanding correct? or am I missing something?  
> This works just fine for a single tunnel but when I have multiple tunnels with individual VTI interface all set to  link/ipip brd the ESP packets get dropped. The ESP packets are seen on the outer interface but they don't get routed to the respective VTI interface and are dropped.
> Will switching to route based XFRMi (ipsec-interface) help in this case?
> Regards,
> -Rav ya
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200425/e2cc8382/attachment.html>

More information about the Swan mailing list