[Swan] route based vpn with libreswan

[Paul Wouters]

On Wed, 3 Nov 2021, owen s wrote:

> I created an ipsec tunnel that's working but I am unable to route traffic through the tunnel.

Note that traffic should "flow" through the tunnel automatically, even
without any interface devices. But you need to ensure the packets are
not getting NATTED by accident because then the packets are no longer
matching the left/right subnet and won't go through the IPsec layer.

> reading I think the solution is to create a new vti interface
> via: https://libreswan.org/wiki/Route-based_VPN_using_VTI

That's not needed and I would recommend not doing this. If you need
to use interfaces (which you don't need), use XFRMi (ipsec-interface=)

> conn testconn    
[...]
>         leftsubnet=[10.10.2.0/24]
>         rightsubnet=[10.100.10.128/25]

So on the left host, ensure you do not SNAT packets with destination 10.100.10.128/25.
On the right host, ensure you do not SNAT packets with destination to
10.10.2.0/24. Also ensure you have ip forwarding enabled via sysctl/proc
or via iptables.

> should I change the left and right subnet to 0.0.0.0/0 or can I keep the subnet defined as is?

No. If you use 0.0.0.0/0, ALL traffic will attempt to go through (and
you need some exceptions to ensure the tunnel doesn't collapse trying
to route through itself)

> What's the difference between the left, right vti and then the ip route add command? Why is the
> leftvti 10.0.1.1/24 but the ip route add 10.0.0.0/8?

The VTI options are legacy and deprecated. Do not use them. You should
not need to use any manual "ip route" commands.

(left / right denotes the IP of the host on the left side or right side of
your network diagram. leftvti is used to configure the virtual interface
with an IP/netmask)

Paul