<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Felipe,<div class=""><br class=""></div><div class="">That use of `left|rightsubnet` was a huge help.</div><div class=""><br class=""></div><div class="">In an effort to automate the address assignment for a larger network (same theme as the OSPF), I’ve been using the `leftupdown` script in <a href="https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Connection-specific-VTI-Devices" class="">https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Connection-specific-VTI-Devices</a>. </div><div class=""><br class=""></div><div class="">So I’ve updated it as shown:</div><div class=""><br class=""></div><div class=""><blockquote type="cite" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class="">=============================</div><div class=""><div class="">Dynamic:</div><div class="">conn site-2-dynamic-ip</div></div></div></div></blockquote><span class="Apple-tab-span" style="white-space: pre;">    </span>   mark=%unique<br class=""><blockquote type="cite" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class=""><div class=""><span class="" style="white-space: pre;">       </span>left=%defaultroute</div></div></div></div></blockquote>           leftsourceip=%config4<br class=""><blockquote type="cite" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class=""><div class=""><span class="" style="white-space: pre;">     </span>leftsubnet=<a href="http://10.10.0.0/22,10.9.255.252/30" class="">10.10.0.0/22,10.9.255.252/30</a></div><div class=""><span class="" style="white-space: pre;">    </span>leftfirewall=no</div></div></div></div></blockquote>           leftupdown=/etc/strongswan.d/ipsec-vti.sh</div><div class="">           right=st.at.ic.ip</div><div class=""><blockquote type="cite" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class=""><div class=""><span class="" style="white-space: pre;">   </span>rightsubnet=<a href="http://10.10.4.0/22,10.9.255.252/30" class="">10.10.4.0/22,10.9.255.252/30</a></div><div class=""><span class="" style="white-space: pre;">   </span>rightid=%<a href="http://specific.example.com/" class="">specific.example.com</a></div><div class=""><span class="" style="white-space: pre;">     </span>auto=add</div><div class=""><br class=""></div><div class="">Static:</div><div class="">conn site-1-static-ip</div></div></div></div></blockquote>           mark=%unique<br class=""><blockquote type="cite" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class=""><div class=""><span class="" style="white-space: pre;"> </span>left=st.at.ic.ip</div><div class=""><span class="" style="white-space: pre;">      </span>leftsubnet=<a href="http://10.10.4.0/22,10.9.255.252/30" class="">10.10.4.0/22,10.9.255.252/30</a></div><div class=""><span class="" style="white-space: pre;">    </span>leftid=%<a href="http://specific.example.com/" class="">specific.example.com</a></div><div class=""><span class="" style="white-space: pre;">      </span>leftfirewall=no</div></div></div></div></blockquote><div class="">           leftsourceip=10.9.255.253 </div><div class="">           leftupdown=/etc/strongswan/ipsec-vti.sh</div><blockquote type="cite" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class=""><div class=""><span class="" style="white-space: pre;">       </span>right=%any</div></div></div></div></blockquote>           rightsourceip=10.9.255.254<br class=""><blockquote type="cite" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class=""><div class=""><span class="" style="white-space: pre;">        </span>rightsubnet=<a href="http://10.10.0.0/22,10.9.255.252/30" class="">10.10.0.0/22,10.9.255.252/30</a></div><div class=""><span class="" style="white-space: pre;">   </span>auto=add</div></div><div class="">===============================</div></div></div></blockquote><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class=""><br class=""></div><div class="">With this configuration, I get full SA and IKE negotiation including TS and dynamic side tunnel configuration:</div><div class=""><br class=""></div><div class=""><blockquote type="cite" class=""><div class="">root@dynamic:/# ip a show vti1</div><div class="">49: vti1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state UNKNOWN group default qlen 1000</div><div class="">    link/ipip dy.na.mi.cip peer st.at.ic.ip</div></blockquote><blockquote type="cite" class=""><div class="">    inet 10.9.255.254/32 scope global vti1</div><div class="">       valid_lft forever preferred_lft forever</div></blockquote><div class=""><div class=""><br class=""></div></div></div><div class="">On the static side, I get an error from the script:</div><div class=""><blockquote type="cite" class="">04[CHD] updown: /etc/strongswan/ipsec-vti.sh: line 15: PLUTO_MY_SOURCEIP: unbound variable</blockquote><br class=""></div><div class="">I initially had the same problem on the dynamic side, but the addition of `leftsourceip=%config4` and `rightsourceip` on the static side resolved that.</div><div class=""><br class=""></div><div class="">Is there something I am missing to avoid the "PLUTO_MY_SOURCEIP: unbound variable” problem?</div><div class=""><br class=""></div><div class="">Thanks so much for your insight!</div></div></div></div></div></body></html>