[Swan] Unable to get multiple subnets to travers a vti, can someone help?

[Paul Wouters]

On Tue, 28 Sep 2021, Dave Houser wrote:

> I need assistance configuring libreswan to allow client's vti (left) to route to the server's vti (right)
> interface, as well as other subnets on the far end via the single ipsec tunnel. 
> 
> Right now I am able to route only one subnet or ALL subnets. I need the client to be able to ping the VTI far
> end interface (172.21.0.1), as well as other various subnets (Lets start with 10.104.8.0/24). Note: I am only
> testing layer 3 right now with ICMP pings.
> 
> With the configurations below, I can only reach 10.104.8.0/24 devices on the far end. 
> If I try to ping 172.21.0.1, I get  "Destination Host Unreachable", and see no traffic traversing the tunnel
> with "ipsec whack --trafficstatus"

Of the the design limitations of VTI is that in various scenarios, more
than one subnet does not work. That is why the kernel people ported that
code to the new XFRMi code.

> Here is my config file:
> (/etc/ipsec.d/myconfig.conf)
> 
> conn to-vsrx-01
>     auto=start
>     keyexchange=ike
>     authby=secret
>     ike=aes256-sha2_256;dh20
>     esp=aes256-sha2_256
>     left=2.2.0.2
>     leftid=2.2.0.2
>     leftsubnet=0.0.0.0/0
>     leftupdown=/opt/_updown_vti01
>     right=3.3.0.2
>     rightsubnet=10.10.10.0/24
>     keyingtries=0


> Here is my updown script:
> (/opt/_updown_vti01)

>         ip route add 172.21.0.0/29 dev $VTI_IF
>         ip route add 10.104.8.0/24 dev $VTI_IF

You cannot just route stuff into the device that is not part
of your IPsec subnet configurations. The IPsec policy will
drop those. Usually when people want to do this (often called
a routed VPN) they setup a tunnel for 0.0.0.0/0 to 0.0.0.0/0
and then use ip route add to determine what to send over ipsec
to the other side.

Paul