<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:932205957;
        mso-list-type:hybrid;
        mso-list-template-ids:-83052382 2135308956 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-number-format:alpha-upper;
        mso-level-text:"%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1
        {mso-list-id:1052967709;
        mso-list-type:hybrid;
        mso-list-template-ids:952824406 -255814330 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
        {mso-level-number-format:roman-upper;
        mso-level-text:"%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.75in;
        text-indent:-.5in;}
@list l1:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2
        {mso-list-id:1571846063;
        mso-list-type:hybrid;
        mso-list-template-ids:1262411954 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
        {mso-level-text:"%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi, I’m new here.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I  built a distributed hub-and-spoke family network using Strongswan – thank you for making that possible!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I assigned site-local (LAN) network addressing for family as: 192.168.[0|4|8|12|16|20|24].0/22 <o:p></o:p></p><p class=MsoNormal>I then set the VPN as 192.168.0.0/17 (not /16, because I found that one of the ISP’s involved assigned 192.168.129.0/24 to router…)<o:p></o:p></p><p class=MsoNormal>So, yes, the LAN address is then an overlapping range/overlapping subnet to the WAN VPN (e.g. 192.168.16.0/22 ====== 192.168.0.0/17)… but in traditional routing, this is not an issue, as the host simply routes traffic based upon the most  specific route that meets the need (in this case, keeping local traffic local, and WAN traffic on WAN).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ok… so the problem I faced was that “ip xfrm policy” would see  traffic from src=LAN address to dest=LAN address as also matching the criteria for LAN->WAN, because LAN address is a subset of WAN.  So, although WAN/VPN communications worked just fine, traffic between VPN gateway + LAN would not work at all…<o:p></o:p></p><p class=MsoNormal>After a lot of reading, I realized that there were several solutions, including:<o:p></o:p></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l2 level1 lfo1'>Use multiple, individual ranges, instead of 192.168.0.0/17 for remote VPN subnet<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l2 level1 lfo1'>Use VTI to change this into a route-based VPN<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l2 level1 lfo1'>Set “ip xfrm policy” to NOT transform for 192.168.16.0/22…exclude the local LAN address space<o:p></o:p></li></ol><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I chose option 3, and it works great.<o:p></o:p></p><p class=MsoNormal>I modified the /usr/sbin/ipsec script into my own script to set ip xfrm policy (/usr/sbin/custom-ip-xfrm), and I created a /etc/systemd/system/custom-ip-xfrm.service that I set [Unit] to “After=strongswan.service” to run the /usr/sbin script on boot<o:p></o:p></p><p class=MsoNormal>In this way, I set an “in”, and an “out” ip xfrm policy rule to not xfrm the local subnet, after strongswan has started.<o:p></o:p></p><p class=MsoNormal>The important lines of custom-ip-xfrm are:<o:p></o:p></p><p class=MsoNormal>ip xfrm policy add src ${LOCAL_SUBNET} dst ${LOCAL_SUBNET} dir in priority 0<o:p></o:p></p><p class=MsoNormal>ip xfrm policy add src ${LOCAL_SUBNET} dst ${LOCAL_SUBNET} dir out priority 0<o:p></o:p></p><p class=MsoNormal>in the script, LOCAL_SUBNET will be something like “192.168.16.0/22”<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I mention this, because I think it is odd that:<o:p></o:p></p><ol style='margin-top:0in' start=1 type=A><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo2'>These rules (perhaps with less aggressive priority) aren’t automatically set by Strongswan, regardless of my specific use case, by default, when it is setting ip xfrm policy? (i.e. guarantee local communications with the LAN work without xfrm, unless intentionally over-ridden for IPSec with LAN host, for example.)<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo2'>The ipsec.conf “left/right=” term doesn’t have an exclude option… it is only “inclusive”, and can handle several ranges (for inclusion), but no ranges for exclusion (e.g. 192.168.0.0/17-192.168.16.0/22)<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo2'>I didn’t find any detailed articles about solving the ip xfrm issue created by overlapping subnets…just a vague reference to “overlapping subnets”.<o:p></o:p></li></ol><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>My goal for this note was 2-fold:<o:p></o:p></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l1 level1 lfo3'><![if !supportLists]><span style='mso-list:Ignore'>I)<span style='font:7.0pt "Times New Roman"'>                 </span></span><![endif]>Get details about a problem overlapping subnets can create + how to solve this one into the notes for future generations <span style='font-family:"Segoe UI Emoji",sans-serif'>😊</span><o:p></o:p></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l1 level1 lfo3'><![if !supportLists]><span style='mso-list:Ignore'>II)<span style='font:7.0pt "Times New Roman"'>               </span></span><![endif]>To ask if A/B should be opened as an “issue”, or if the fact there are work-arounds should focus my efforts on helping with documentation?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thank you for reading this far… feedback is appreciated.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Best Regards,<o:p></o:p></p><p class=MsoNormal>-NICK <o:p></o:p></p></div></body></html>