[Swan] route based vpn with libreswan

Paul Wouters paul.wouters at aiven.io
Wed Nov 17 04:47:47 EET 2021

On Wed, 3 Nov 2021, owen s wrote:

> I created an ipsec tunnel that's working but I am unable to route traffic through the tunnel.

Note that traffic should "flow" through the tunnel automatically, even
without any interface devices. But you need to ensure the packets are
not getting NATTED by accident because then the packets are no longer
matching the left/right subnet and won't go through the IPsec layer.

> reading I think the solution is to create a new vti interface
> via: https://libreswan.org/wiki/Route-based_VPN_using_VTI

That's not needed and I would recommend not doing this. If you need
to use interfaces (which you don't need), use XFRMi (ipsec-interface=)

> conn testconn    
>         leftsubnet=[]
>         rightsubnet=[]

So on the left host, ensure you do not SNAT packets with destination
On the right host, ensure you do not SNAT packets with destination to Also ensure you have ip forwarding enabled via sysctl/proc
or via iptables.

> should I change the left and right subnet to or can I keep the subnet defined as is?

No. If you use, ALL traffic will attempt to go through (and
you need some exceptions to ensure the tunnel doesn't collapse trying
to route through itself)

> What's the difference between the left, right vti and then the ip route add command? Why is the
> leftvti but the ip route add

The VTI options are legacy and deprecated. Do not use them. You should
not need to use any manual "ip route" commands.

(left / right denotes the IP of the host on the left side or right side of
your network diagram. leftvti is used to configure the virtual interface
with an IP/netmask)


More information about the Swan mailing list