On Tue, 28 Sep 2021, Dave Houser wrote:
I need assistance configuring libreswan to allow client's vti (left) to route
to the server's vti (right)
interface, as well as other subnets on the far end via the single ipsec tunnel.
Right now I am able to route only one subnet or ALL subnets. I need the client
to be able to ping the VTI far
end interface (172.21.0.1), as well as other various subnets (Lets start with
10.104.8.0/24). Note: I am only
testing layer 3 right now with ICMP pings.
With the configurations below, I can only reach 10.104.8.0/24 devices on the
far end.
If I try to ping 172.21.0.1, I get "Destination Host Unreachable", and see no
traffic traversing the tunnel
with "ipsec whack --trafficstatus"
Of the the design limitations of VTI is that in various scenarios, more
than one subnet does not work. That is why the kernel people ported that
code to the new XFRMi code.
Here is my config file:
(/etc/ipsec.d/myconfig.conf)
conn to-vsrx-01
auto=start
keyexchange=ike
authby=secret
ike=aes256-sha2_256;dh20
esp=aes256-sha2_256
left=2.2.0.2
leftid=2.2.0.2
leftsubnet=0.0.0.0/0
leftupdown=/opt/_updown_vti01
right=3.3.0.2
rightsubnet=10.10.10.0/24
keyingtries=0
Here is my updown script:
(/opt/_updown_vti01)
ip route add 172.21.0.0/29 dev $VTI_IF
ip route add 10.104.8.0/24 dev $VTI_IF
You cannot just route stuff into the device that is not part
of your IPsec subnet configurations. The IPsec policy will
drop those. Usually when people want to do this (often called
a routed VPN) they setup a tunnel for 0.0.0.0/0 to 0.0.0.0/0
and then use ip route add to determine what to send over ipsec
to the other side.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
