[Swan] VTI interface ip tunnel missing endpoint ip
paul at nohats.ca
Sat Apr 25 19:35:25 UTC 2020
Multiple VTI tunnels with right=%any is not possible. It is a design limitation of VTI and why XFRMi was created.
Sent from my iPhone
> On Apr 25, 2020, at 13:17, Rav Ya <ravin.ya90 at gmail.com> wrote:
> Hello All,
> Can someone please advise me on the below.
> Overview of my configuration:
> The righsubent and leftsubnet on the Libreswan VPN server are set to 0.0.0.0/0. The plan is to run iBGP over IPSec. On my server-side. I have set right=%any (For my use case this is unknown). I have enabled the vti-interface with routing turned off so that I can run iBGP across IPSec.
> On my test setup, I have client tunnel endpoint: 10.11.0.1 and server endpoint 10.11.0.254.
> Observation: On the Libreswan Server
> The tunnel is established as desired:
> 0.0.0.0/0===10.11.0.254<10.11.0.254>[@libswan]...10.11.0.1[@dummy01]===0.0.0.0/0; erouted;
> But the VTI (IP-IP Interface) configured by Libreswan does not define the client tunnel endpoint.
> ipsec01 at NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
> link/ipip 10.11.0.254 brd 0.0.0.0
> In my knowledge we should read the endpoint IP (10.11.0.1) and use it for configuring the IP tunnel. Is my understanding correct? or am I missing something?
> This works just fine for a single tunnel but when I have multiple tunnels with individual VTI interface all set to link/ipip 10.11.0.254 brd 0.0.0.0 the ESP packets get dropped. The ESP packets are seen on the outer interface but they don't get routed to the respective VTI interface and are dropped.
> Will switching to route based XFRMi (ipsec-interface) help in this case?
> -Rav ya
> Swan mailing list
> Swan at lists.libreswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan