diff options
author | goodNETnick <pknet@ya.ru> | 2021-10-10 22:12:15 +1000 |
---|---|---|
committer | goodNETnick <pknet@ya.ru> | 2021-10-10 22:12:15 +1000 |
commit | e4dc6e74f78d44b19018d9bbb15bddb5f6e07653 (patch) | |
tree | 53b5a9a4165d2c42b7bef792af8cedb760ad2916 | |
parent | 934ea7c11654046028f967c0783b8885cbd39447 (diff) | |
download | vyos-documentation-e4dc6e74f78d44b19018d9bbb15bddb5f6e07653.tar.gz vyos-documentation-e4dc6e74f78d44b19018d9bbb15bddb5f6e07653.zip |
Description about IPsec and VTI issue
-rw-r--r-- | docs/configuration/interfaces/vti.rst | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index 7816529c..c5f843a5 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -30,4 +30,10 @@ Results in: set vpn ipsec options disable-route-autoinstall More details about the IPsec and VTI issue and option disable-route-autoinstall: -https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
\ No newline at end of file +https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july + +The root cause of the problem is that for VTI tunnels to work, their traffic selectors +have to be set to 0.0.0.0/0 for traffic to match the tunnel, even though actual routing +decision is made according to netfilter marks. Unless route insertion is disabled +entirely, StrongSWAN thus mistakenly inserts a default route through the +VTI peer address, which makes all traffic routed to nowhere.
\ No newline at end of file |