[Swan] VTI interface ip tunnel missing endpoint ip
ravin.ya90 at gmail.com
Sat Apr 25 22:40:06 UTC 2020
Thank you for your time.
I switched to XFRMi and bumped into a different issue.
Apr 25 17:56:49.800303: | route owner of "gateway02" 10.11.0.2 unrouted:
"gateway01" 10.11.0.1 erouted; eroute owner: "gateway01" 10.11.0.1
Apr 25 17:56:49.800310: "gateway02" 10.11.0.2 #3: cannot route -- route
already in use for "gateway01" 10.11.0.1
- Is there a way to turn off routing for XFRMi interface? (Similar to
- With the older release (LibSwan 3.25) I was able to set up multiple
VTIs (routing disabled) but the IP-IP Tunnel End Points were the same
across all the VTIs IP-IP (*link/ipip 10.11.0.254 brd 0.0.0.0*) which
was causing an issue when I had more than one tunnel.
- On my VPN server, I am using right=%any because of the dynamic nature
of my client’s tunnel endpoint IP. To differentiate between the connections
I am using righid=@dummyN (This is allocated to every client).
- For my scenario, I can’t even use modeconfig because I have to
preserve remote subnet IPs sitting behind the IPSec clients. (Plan is to
run iBGP across IPSec).
- Any suggestion/recommendation or read up material would be highly
appreciated. Thank You
*Libreswan IPSec Config:*
On Sat, Apr 25, 2020 at 3:35 PM Paul Wouters <paul at nohats.ca> wrote:
> Multiple VTI tunnels with right=%any is not possible. It is a design
> limitation of VTI and why XFRMi was created.
> Sent from my iPhone
> On Apr 25, 2020, at 13:17, Rav Ya <ravin.ya90 at gmail.com> wrote:
> Hello All,
> Can someone please advise me on the below.
> *Overview of my configuration:*
> The righsubent and leftsubnet on the Libreswan VPN server are set to
> 0.0.0.0/0. The plan is to run iBGP over IPSec. On my server-side. I have
> set right=%any (For my use case this is unknown). I have enabled the
> vti-interface with routing turned off so that I can run iBGP across IPSec.
> On my test setup, I have client tunnel endpoint: 10.11.0.1 and server
> endpoint 10.11.0.254.
> *Observation:* On the Libreswan Server
> The tunnel is established as desired:
> <http://0.0.0.0/0>; erouted;*
> But the VTI (IP-IP Interface) configured by Libreswan does not define the
> client tunnel endpoint.
> *ipsec01 at NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
> mode DEFAULT group default qlen 1000 link/ipip 10.11.0.254 brd 0.0.0.0*
> In my knowledge we should read the endpoint IP (10.11.0.1) and use it for
> configuring the IP tunnel. Is my understanding correct? or am I missing
> This works just fine for a single tunnel but when I have multiple tunnels
> with individual VTI interface all set to link/ipip 10.11.0.254 brd 0.0.0.0
> the ESP packets get dropped. The ESP packets are seen on the outer
> interface but they don't get routed to the respective VTI interface and are
> Will switching to route based XFRMi (ipsec-interface) help in this case?
> -Rav ya
> Swan mailing list
> Swan at lists.libreswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan