<div dir="ltr">Hello,<div><br></div><div>I need assistance configuring libreswan to allow client's vti (left) to route to the server's vti (right) interface, as well as other subnets on the far end via the single ipsec tunnel. <br><br>Right now I am able to route only one subnet or ALL subnets. I need the client to be able to ping the VTI far end interface (172.21.0.1), as well as other various subnets (Lets start with <a href="http://10.104.8.0/24">10.104.8.0/24</a>). Note: I am only testing layer 3 right now with ICMP pings.</div><div><br>With the configurations below, I can only reach <a href="http://10.104.8.0/24">10.104.8.0/24</a> devices on the far end. <br>If I try to ping 172.21.0.1, I get "Destination Host Unreachable", and see no traffic traversing the tunnel with "ipsec whack --trafficstatus"<br><br>Here is my config file:<br>(/etc/ipsec.d/myconfig.conf)<br><br><pre style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding:16px;overflow:auto;line-height:1.45;border-radius:6px"><code style="box-sizing:border-box;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit"><font color="#24292f" face="ui-monospace, SFMono-Regular, SF Mono, Menlo, Consolas, Liberation Mono, monospace"><span style="font-size:11.9px">conn to-vsrx-01
auto=start
keyexchange=ike
authby=secret
ike=aes256-sha2_256;dh20
esp=aes256-sha2_256
left=2.2.0.2
leftid=2.2.0.2
leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a>
leftupdown=/opt/_updown_vti01
right=3.3.0.2
rightsubnet=<a href="http://10.10.10.0/24">10.10.10.0/24</a>
keyingtries=0
</span></font><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small;white-space:normal">Here is my updown script:</span><br style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small;white-space:normal"><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small;white-space:normal">(/opt/_updown_vti01)</span><font color="#24292f" face="ui-monospace, SFMono-Regular, SF Mono, Menlo, Consolas, Liberation Mono, monospace"><span style="font-size:11.9px">
</span></font><pre style="color:rgb(36,41,47);font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;font-size:11.9px;box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding:16px;overflow:auto;line-height:1.45;border-radius:6px"><code style="box-sizing:border-box;font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit">#!/bin/bash
set -o nounset
set -o errexit
VTI_IF="vti01"
case "${PLUTO_VERB}" in
up-client)
# Build VTI interface. Note the "key" is important to mark your traffic
ip tunnel add $VTI_IF local 2.2.0.2 remote 3.3.0.2 mode vti key 42
# Bring up vti
ip link set $VTI_IF up
# Apply IP address to VTI
ip addr add 172.21.0.2 dev $VTI_IF
# Add routing
ip route add <a href="http://172.21.0.0/29">172.21.0.0/29</a> dev $VTI_IF
ip route add <a href="http://10.104.8.0/24">10.104.8.0/24</a> dev $VTI_IF
sysctl -w "net.ipv4.conf.$VTI_IF.disable_policy=1"
sysctl -w "net.ipv4.conf.$VTI_IF.rp_filter=0"
sysctl -w "net.ipv4.conf.$VTI_IF.forwarding=1"
;;
down-client)
ip tunnel del $VTI_IF
;;
esac</code></pre><font color="#24292f" face="ui-monospace, SFMono-Regular, SF Mono, Menlo, Consolas, Liberation Mono, monospace"><span style="font-size:11.9px">
</span></font></code><code style="color:rgb(36,41,47);font-size:11.9px;box-sizing:border-box;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit;white-space:normal"><font face="Arial, Helvetica, sans-serif">Before I start the tunnel, I first check my routes and interfaces to make sure there are no residual configurations (no vti01, or routes) still configured. If there are, I remove them. Then I perform the following: </font></code></pre><pre style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding:16px;overflow:auto;line-height:1.45;border-radius:6px"><code style="color:rgb(36,41,47);font-size:11.9px;box-sizing:border-box;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit;white-space:normal"><pre style="font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding:16px;overflow:auto;line-height:1.45;border-radius:6px"><code style="box-sizing:border-box;font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit"># ipsec auto --delete to-vsrx-01
# ipsec auto --add to-vsrx-01
# ipsec auto --up to-vsrx-01
<br></code></pre></code><code style="color:rgb(36,41,47);font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;font-size:11.9px;box-sizing:border-box;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit">
<pre style="color:rgb(34,34,34);box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding:16px;overflow:auto;line-height:1.45;border-radius:6px"><code style="color:rgb(36,41,47);box-sizing:border-box;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit;white-space:normal"><font face="Arial, Helvetica, sans-serif">When checking my routes and interfaces after the tunnel comes up I see the following (Only including what was added), note there is no default gateway on the host: </font></code></pre><pre style="font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding:16px;overflow:auto;line-height:1.45;border-radius:6px"><code style="box-sizing:border-box;font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit"># ip -br a
vti01@NONE UNKNOWN <a href="http://172.21.0.2/32">172.21.0.2/32</a> fe80::200:5efe:202:2/64<br>
# route -n
10.104.8.0 0.0.0.0 255.255.255.0 U 0 0 0 vti01
172.21.0.0 0.0.0.0 255.255.255.248 U 0 0 0 vti01<br></code></pre><pre style="color:rgb(34,34,34);box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding:16px;overflow:auto;line-height:1.45;border-radius:6px"><code style="color:rgb(36,41,47);font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;box-sizing:border-box;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit"><pre style="color:rgb(34,34,34);box-sizing:border-box;margin-top:0px;margin-bottom:16px;padding:16px;overflow:auto;line-height:1.45;border-radius:6px"><code style="color:rgb(36,41,47);box-sizing:border-box;padding:0px;margin:0px;background:transparent;border-radius:6px;word-break:normal;border:0px;display:inline;overflow:visible;line-height:inherit;white-space:normal"><font face="Arial, Helvetica, sans-serif">I then try to ping 10.104.8.123 (A host that is routable on the far end), and 172.21.0.1 (The remote SA's interface).<br><br>I can reach 10.104.8.123 and get a reply. I get "Destination Host Unreachable" when trying to ping 172.21.0.1.<br><br>I believe my issue is that since the "rightsubnet" only has the <a href="http://10.104.8.0/24">10.104.8.0/24</a> subnet libreswan will only allow that subnet to traverse the ipsec tunnel. I tried changing "rightsubnet" to <a href="http://172.21.0.0/29">172.21.0.0/29</a>, and restarting the tunnel. The results aligned with my theory as I could only ping 172.21.0.1 but not 10.104.8.123. <br><br>I tried using the "rightsubnet<b>s" </b> parameter like this<br><br>rightsubnets="<a href="http://172.21.0.0/29">172.21.0.0/29</a>, <a href="http://10.104.8.0/24">10.104.8.0/24</a>"<br><br>But it seems libreswan thinks these are separate SAs, as such will try to re-run my updown script twice to connect to seperate subnets. This build the tunnel but then errors out<br><br></font># ipsec auto --delete to-vsrx-01 <br>002 "to-vsrx-01": terminating SAs using this connection <br>005 "to-vsrx-01" #6: ESP traffic information: in=84B out=84B <br>002 "to-vsrx-01" #5: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 83.87356s and sending notification <br>[root@gst-01 ipsec.d]# ipsec auto --add to-vsrx-01 <br>002 "to-vsrx-01/1x0": added IKEv2 connection <br>002 "to-vsrx-01/2x0": added IKEv2 connection <br>[root@gst-01 ipsec.d]# ipsec auto --up to-vsrx-01 <br>000 initiating all conns with alias='to-vsrx-01' <br>181 "to-vsrx-01/2x0" #7: initiating IKEv2 connection <br>000 "to-vsrx-01/1x0": queue Child SA; waiting on IKE SA "to-vsrx-01/2x0" #7 negotiating with 3.3.0.2 <br>181 "to-vsrx-01/2x0" #7: sent IKE_SA_INIT request <br>002 "to-vsrx-01/2x0" #7: switching CHILD #8 to pending connection "to-vsrx-01/1x0" <br>182 "to-vsrx-01/2x0" #7: sent IKE_AUTH request {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH20} <br>003 "to-vsrx-01/2x0" #7: established IKE SA; authenticated using authby=secret and peer ID_IPV4_ADDR '3.3.0.2' <br>002 "to-vsrx-01/1x0" #8: up-client output: net.ipv4.conf.vti01.disable_policy = 1 <br>002 "to-vsrx-01/1x0" #8: up-client output: net.ipv4.conf.vti01.rp_filter = 0 <br>002 "to-vsrx-01/1x0" #8: up-client output: net.ipv4.conf.vti01.forwarding = 1 <br>004 "to-vsrx-01/1x0" #8: established Child SA; IPsec tunnel [172.21.0.0-172.21.0.7:0-65535 0] -> [10.104.8.0-10.104.8.255:0-65535 <br>0] {ESP=>0xfa47cb52 <0xa35c401a xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive} <br><b>002 "to-vsrx-01/2x0" #9: initiating Child SA using IKE SA #7 <br>188 "to-vsrx-01/2x0" #9: sent CREATE_CHILD_SA request for new IPsec SA <br>003 "to-vsrx-01/2x0" #9: CREATE_CHILD_SA failed with error notification NO_PROPOSAL_CHOSEN <br>200 "to-vsrx-01/2x0" #9: state transition 'process create Child SA failure response (CREATE_CHILD_SA)' failed </b> <font face="Arial, Helvetica, sans-serif"><br><br>Is this expected?<br><br>How can I get libreswan to allow multiple subnets to route via the vti without trying to set up new connections to the new subnets? </font></code></pre></code></pre></code></pre></div></div>