Multiple VTI tunnels with right=%any is not possible. It is a design limitation of VTI and why XFRMi was created.
Paul Sent from my iPhone > On Apr 25, 2020, at 13:17, Rav Ya <[email protected]> wrote: > > > Hello All, > Can someone please advise me on the below. > > Overview of my configuration: > The righsubent and leftsubnet on the Libreswan VPN server are set to > 0.0.0.0/0. The plan is to run iBGP over IPSec. On my server-side. I have set > right=%any (For my use case this is unknown). I have enabled the > vti-interface with routing turned off so that I can run iBGP across IPSec. > > On my test setup, I have client tunnel endpoint: 10.11.0.1 and server > endpoint 10.11.0.254. > > Observation: On the Libreswan Server > The tunnel is established as desired: > 0.0.0.0/0===10.11.0.254<10.11.0.254>[@libswan]...10.11.0.1[@dummy01]===0.0.0.0/0; > erouted; > > But the VTI (IP-IP Interface) configured by Libreswan does not define the > client tunnel endpoint. > ipsec01@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode > DEFAULT group default qlen 1000 > link/ipip 10.11.0.254 brd 0.0.0.0 > > Questions: > In my knowledge we should read the endpoint IP (10.11.0.1) and use it for > configuring the IP tunnel. Is my understanding correct? or am I missing > something? > > This works just fine for a single tunnel but when I have multiple tunnels > with individual VTI interface all set to link/ipip 10.11.0.254 brd 0.0.0.0 > the ESP packets get dropped. The ESP packets are seen on the outer interface > but they don't get routed to the respective VTI interface and are dropped. > > Will switching to route based XFRMi (ipsec-interface) help in this case? > > Regards, > -Rav ya > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
