[Swan] Unable to get multiple subnets to travers a vti, can someone help?

Paul Wouters paul at nohats.ca
Tue Sep 28 22:12:27 UTC 2021

On Tue, 28 Sep 2021, Dave Houser wrote:

> I need assistance configuring libreswan to allow client's vti (left) to route to the server's vti (right)
> interface, as well as other subnets on the far end via the single ipsec tunnel. 
> Right now I am able to route only one subnet or ALL subnets. I need the client to be able to ping the VTI far
> end interface (, as well as other various subnets (Lets start with Note: I am only
> testing layer 3 right now with ICMP pings.
> With the configurations below, I can only reach devices on the far end. 
> If I try to ping, I get  "Destination Host Unreachable", and see no traffic traversing the tunnel
> with "ipsec whack --trafficstatus"

Of the the design limitations of VTI is that in various scenarios, more
than one subnet does not work. That is why the kernel people ported that
code to the new XFRMi code.

> Here is my config file:
> (/etc/ipsec.d/myconfig.conf)
> conn to-vsrx-01
>     auto=start
>     keyexchange=ike
>     authby=secret
>     ike=aes256-sha2_256;dh20
>     esp=aes256-sha2_256
>     left=
>     leftid=
>     leftsubnet=
>     leftupdown=/opt/_updown_vti01
>     right=
>     rightsubnet=
>     keyingtries=0

> Here is my updown script:
> (/opt/_updown_vti01)

>         ip route add dev $VTI_IF
>         ip route add dev $VTI_IF

You cannot just route stuff into the device that is not part
of your IPsec subnet configurations. The IPsec policy will
drop those. Usually when people want to do this (often called
a routed VPN) they setup a tunnel for to
and then use ip route add to determine what to send over ipsec
to the other side.


More information about the Swan mailing list