[Swan] route based vpn with libreswan

Wed Nov 3 14:16:56 EET 2021

I created an ipsec tunnel that's working but I am unable to route traffic
through the tunnel. After reading I think the solution is to create a new
vti interface via: https://libreswan.org/wiki/Route-based_VPN_using_VTI

The below is an example of my configuration
conn testconn
        auto=start
        authby=secret
        ike=aes256-sha256;dh14
        esp=aes256-sha256
        ikelifetime=86400s
        salifetime=3600s
        pfs=no
        compress=no
        ikev2=no
        aggressive=no

        left=10.10.2.69
        leftid=[router public address]
        leftsubnet=[10.10.2.0/24]

        right=[remote server router public ip]
        rightsubnet=[10.100.10.128/25]
        # ipsec-interface=9 //no longer required

should I change the left and right subnet to 0.0.0.0/0 or can I keep the
subnet defined as is?

or should I just replace the left and right subnets to 0.0.0.0/0 and then
use the left, right vti to describe the subnets.

What's the difference between the left, right vti and then the ip route add
command? Why is the leftvti 10.0.1.1/24 but the ip route add 10.0.0.0/8?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211103/cf48650e/attachment.htm>