Added IPsec VTI warning

1 files changed, 17 insertions, 0 deletions

diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst
index 43c217a0..018626fc 100644
--- a/docs/configuration/interfaces/tunnel.rst
+++ b/docs/configuration/interfaces/tunnel.rst
@@ -229,6 +229,23 @@ Results in:
       description "Description"
   }
 
+.. warning:: When using site-to-site IPsec with VTI interfaces,
+   be sure to disable route autoinstall
+
+.. code-block:: none
+  
+  set vpn ipsec options disable-route-autoinstall
+
+More details about the IPsec and VTI issue and option disable-route-autoinstall
+https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
+
+The root cause of the problem is that for VTI tunnels to work, their traffic 
+selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even 
+though actual routing decision is made according to netfilter marks. Unless 
+route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a 
+default route through the VTI peer address, which makes all traffic routed 
+to nowhere.
+
 
 .. _RFC2003: https://tools.ietf.org/html/rfc2003
 .. _RFC2473: https://tools.ietf.org/html/rfc2473