summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorgoodNETnick <pknet@ya.ru>2021-10-10 22:12:15 +1000
committergoodNETnick <pknet@ya.ru>2021-10-10 22:12:15 +1000
commite4dc6e74f78d44b19018d9bbb15bddb5f6e07653 (patch)
tree53b5a9a4165d2c42b7bef792af8cedb760ad2916
parent934ea7c11654046028f967c0783b8885cbd39447 (diff)
downloadvyos-documentation-e4dc6e74f78d44b19018d9bbb15bddb5f6e07653.tar.gz
vyos-documentation-e4dc6e74f78d44b19018d9bbb15bddb5f6e07653.zip
Description about IPsec and VTI issue
-rw-r--r--docs/configuration/interfaces/vti.rst8
1 files changed, 7 insertions, 1 deletions
diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst
index 7816529c..c5f843a5 100644
--- a/docs/configuration/interfaces/vti.rst
+++ b/docs/configuration/interfaces/vti.rst
@@ -30,4 +30,10 @@ Results in:
set vpn ipsec options disable-route-autoinstall
More details about the IPsec and VTI issue and option disable-route-autoinstall:
-https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july \ No newline at end of file
+https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
+
+The root cause of the problem is that for VTI tunnels to work, their traffic selectors
+have to be set to 0.0.0.0/0 for traffic to match the tunnel, even though actual routing
+decision is made according to netfilter marks. Unless route insertion is disabled
+entirely, StrongSWAN thus mistakenly inserts a default route through the
+VTI peer address, which makes all traffic routed to nowhere. \ No newline at end of file