<div dir="ltr"><div dir="ltr"><br><div><br></div><div><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Hi Paul,</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Thank
you for your time.</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I
switched to XFRMi and bumped into a different issue.</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Apr 25 17:56:49.800303: |
route owner of "gateway02"[1] 10.11.0.2 unrouted:
"gateway01"[1] 10.11.0.1 erouted; eroute owner:
"gateway01"[1] 10.11.0.1 erouted<br>
Apr 25 17:56:49.800310: "gateway02"[1] 10.11.0.2 #3: cannot route --
route already in use for "gateway01"[1] 10.11.0.1 </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p><ul style="margin-top:0in;margin-bottom:0in" type="disc"><li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Is there a way to turn off
routing for XFRMi interface? (Similar to vti-routing=no)</li></ul>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><i></i></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<ul style="margin-top:0in;margin-bottom:0in" type="disc">
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">With the older release (LibSwan
3.25) I was able to set up multiple VTIs (routing disabled) but the IP-IP
Tunnel End Points were the same across all the VTIs <span style="color:black">IP-IP (</span><i><span style="color:black">link/ipip
10.11.0.254 brd 0.0.0.0</span></i><span style="color:black">) which
was causing an issue when I had more than one tunnel.</span></li>
</ul>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><i> </i></p>
<ul style="margin-top:0in;margin-bottom:0in" type="disc">
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On my VPN server, I am
using right=%any because of the dynamic nature of my client’s tunnel endpoint IP. To differentiate between the connections I am using righid=@dummyN
(This is allocated to every client). </li>
</ul>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<ul style="margin-top:0in;margin-bottom:0in" type="disc">
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt 2.8pt;font-size:11pt;font-family:Calibri,sans-serif">For my scenario, I can’t even use modeconfig because I have to preserve remote subnet IPs sitting behind the IPSec clients. (Plan is to run iBGP across IPSec).</li>
</ul>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<ul style="margin-top:0in;margin-bottom:0in" type="disc">
<li class="gmail-MsoListParagraph" style="margin:0in 0in 0.0001pt 2.8pt;font-size:11pt;font-family:Calibri,sans-serif">Any suggestion/recommendation or read up material would be highly appreciated. Thank You</li>
</ul>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>Libreswan IPSec Config:</b></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">config
setup</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> uniqueids=no</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">conn
%default</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> ike=3des-sha1-modp2048</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> esp=aes256-md5-modp2048</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> dpdaction=clear</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> dpddelay=30s</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> dpdtimeout=90s</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> ikev2=insist</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> rekey=no</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> ikelifetime=24h</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lifetime=24h</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> authby=secret</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> left=10.11.0.254</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> leftid=@libswan</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <span style="background:yellow">right=%any</span></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <span style="background:yellow">rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></span></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> replay-window=0</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> nic-offload=auto</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> type=tunnel</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> auto=add</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">conn
gateway01</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <span style="background:yellow">rightid=@dummy01</span></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> ipsec-interface=yes</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">conn
gateway02</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <span style="background:yellow">rightid=@dummy02</span></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> ipsec-interface=yes</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Thank You,</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Rav ya</p></div></div><div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Apr 25, 2020 at 3:35 PM Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Multiple VTI tunnels with right=%any is not possible. It is a design limitation of VTI and why XFRMi was created.<div><br></div><div>Paul<br><br><div dir="ltr">Sent from my iPhone</div><div dir="ltr"><br><blockquote type="cite">On Apr 25, 2020, at 13:17, Rav Ya <<a href="mailto:ravin.ya90@gmail.com" target="_blank">ravin.ya90@gmail.com</a>> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div style="padding:20px 0px 0px;font-size:0.875rem;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif"><table cellpadding="0" style="border-collapse:collapse;margin-top:0px;width:auto;font-size:0.875rem;letter-spacing:0.2px;display:block"><tbody style="display:block"></tbody></table><span style="font-family:Calibri,sans-serif;font-size:11pt">Hello All,</span></div><div style="font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium"><div id="gmail-m_-8933180617247369438m_-1073050660331708893gmail-:kt" style="font-size:0.875rem;direction:ltr;margin:8px 0px 0px;padding:0px"><div id="gmail-m_-8933180617247369438m_-1073050660331708893gmail-:ks" style="overflow:hidden;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif"><div dir="ltr"><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Can someone please advise me on the below.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>Overview of my configuration:</b></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">The righsubent and leftsubnet on the Libreswan VPN server are set to <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>. The plan is to run iBGP over IPSec. On my server-side. <span style="font-size:11pt">I have set right=%any (For my use case this is unknown). I have enabled the vti-interface with routing turned off so that I can run iBGP across IPSec.</span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On my test setup, I have client tunnel endpoint: 10.11.0.1 and server endpoint 10.11.0.254.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>Observation:</b> On the Libreswan Server</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">The tunnel is established as desired:</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><i><a href="http://0.0.0.0/0===10.11.0.254" target="_blank">0.0.0.0/0===10.11.0.254</a><10.11.0.254>[@libswan]...10.11.0.1[@dummy01]===<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>; erouted;</i></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">But the VTI (IP-IP Interface) configured by Libreswan does not define the client tunnel endpoint.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><i>ipsec01@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000<br> <b> link/ipip 10.11.0.254 <span style="color:red">brd 0.0.0.0</span></b></i></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>Questions:</b></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">In my knowledge we should read the endpoint IP (10.11.0.1) and use it for configuring the IP tunnel. Is my understanding correct? or am I missing something? </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:black">This works just fine for a single tunnel but when I have multiple tunnels with individual VTI interface all set to link/ipip 10.11.0.254 brd 0.0.0.0 the ESP packets get dropped. The ESP packets are seen on the outer interface but they don't get routed to the respective VTI interface and are dropped.</span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Will switching to route based XFRMi (ipsec-interface) help in this case?</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:11pt">Regards,</span></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">-Rav ya</p></div></div></div></div></div>
<span>_______________________________________________</span><br><span>Swan mailing list</span><br><span><a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a></span><br><span><a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br></div></blockquote></div></div></blockquote></div></div>