[Swan] Unable to get multiple subnets to travers a vti, can someone help?

Dave Houser davehouser1 at gmail.com
Tue Sep 28 19:23:19 UTC 2021


I need assistance configuring libreswan to allow client's vti (left) to
route to the server's vti (right) interface, as well as other subnets on
the far end via the single ipsec tunnel.

Right now I am able to route only one subnet or ALL subnets. I need the
client to be able to ping the VTI far end interface (, as well
as other various subnets (Lets start with Note: I am only
testing layer 3 right now with ICMP pings.

With the configurations below, I can only reach devices on
the far end.
If I try to ping, I get  "Destination Host Unreachable", and see
no traffic traversing the tunnel with "ipsec whack --trafficstatus"

Here is my config file:

conn to-vsrx-01

Here is my updown script:


set -o nounset
set -o errexit


case "${PLUTO_VERB}" in
        # Build VTI interface. Note the "key" is important to mark your traffic
        ip tunnel add $VTI_IF local remote mode vti key 42
        # Bring up vti
        ip link set $VTI_IF up
        # Apply IP address to VTI
        ip addr add dev $VTI_IF
        # Add routing
        ip route add dev $VTI_IF
        ip route add dev $VTI_IF
        sysctl -w "net.ipv4.conf.$VTI_IF.disable_policy=1"
        sysctl -w "net.ipv4.conf.$VTI_IF.rp_filter=0"
        sysctl -w "net.ipv4.conf.$VTI_IF.forwarding=1"
        ip tunnel del $VTI_IF

Before I start the tunnel, I first check my routes and interfaces to make
sure there are no residual configurations (no vti01, or routes) still
configured. If there are, I remove them. Then I perform the following:

# ipsec auto --delete to-vsrx-01
# ipsec auto --add to-vsrx-01
# ipsec auto --up to-vsrx-01

When checking my routes and interfaces after the tunnel comes up I see
the following  (Only including what was added), note there is no
default gateway on the host:

# ip -br a

vti01 at NONE       UNKNOWN fe80::200:5efe:202:2/64

# route -n   U     0      0        0 vti01 U     0      0        0 vti01

I then try to ping (A host that is routable on the far
end), and (The remote SA's interface).

I can reach and get a reply. I get "Destination Host
Unreachable" when trying to ping

I believe my issue is that since the "rightsubnet" only has the subnet libreswan will only allow that subnet to traverse
the ipsec tunnel. I tried changing "rightsubnet" to, and
restarting the tunnel. The results aligned with my theory as I could
only ping but not

I tried using the "rightsubnet*s" * parameter like this


But it seems libreswan thinks these are separate SAs, as such will try
to re-run my updown script twice to connect to seperate subnets. This
build the tunnel but then errors out

# ipsec auto --delete to-vsrx-01
002 "to-vsrx-01": terminating SAs using this connection
005 "to-vsrx-01" #6: ESP traffic information: in=84B out=84B
002 "to-vsrx-01" #5: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged
83.87356s and sending notification
[root at gst-01 ipsec.d]# ipsec auto --add to-vsrx-01
002 "to-vsrx-01/1x0": added IKEv2 connection
002 "to-vsrx-01/2x0": added IKEv2 connection
[root at gst-01 ipsec.d]# ipsec auto --up to-vsrx-01
000 initiating all conns with alias='to-vsrx-01'
181 "to-vsrx-01/2x0" #7: initiating IKEv2 connection
000 "to-vsrx-01/1x0": queue Child SA; waiting on IKE SA
"to-vsrx-01/2x0" #7 negotiating with
181 "to-vsrx-01/2x0" #7: sent IKE_SA_INIT request
002 "to-vsrx-01/2x0" #7: switching CHILD #8 to pending connection
182 "to-vsrx-01/2x0" #7: sent IKE_AUTH request {cipher=AES_CBC_256
integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20}
003 "to-vsrx-01/2x0" #7: established IKE SA; authenticated using
authby=secret and peer ID_IPV4_ADDR ''
002 "to-vsrx-01/1x0" #8: up-client output:
net.ipv4.conf.vti01.disable_policy = 1
002 "to-vsrx-01/1x0" #8: up-client output:
net.ipv4.conf.vti01.rp_filter = 0
002 "to-vsrx-01/1x0" #8: up-client output:
net.ipv4.conf.vti01.forwarding = 1
004 "to-vsrx-01/1x0" #8: established Child SA; IPsec tunnel
[ 0] -> [
0] {ESP=>0xfa47cb52 <0xa35c401a xfrm=AES_CBC_256-HMAC_SHA2_256_128
NATOA=none NATD=none DPD=passive}

*002 "to-vsrx-01/2x0" #9: initiating Child SA using IKE SA #7
"to-vsrx-01/2x0" #9: sent CREATE_CHILD_SA request for new IPsec SA
"to-vsrx-01/2x0" #9: CREATE_CHILD_SA failed with error notification
NO_PROPOSAL_CHOSEN                                        200
"to-vsrx-01/2x0" #9: state transition 'process create Child SA failure
response (CREATE_CHILD_SA)' failed  *

Is this expected?

How can I get libreswan to allow multiple subnets to route via the vti
without trying to set up new connections to the new subnets?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210928/409f45b0/attachment.html>

More information about the Swan mailing list