diff options
-rw-r--r-- | docs/configuration/interfaces/tunnel.rst | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst index 43c217a0..018626fc 100644 --- a/docs/configuration/interfaces/tunnel.rst +++ b/docs/configuration/interfaces/tunnel.rst @@ -229,6 +229,23 @@ Results in: description "Description" } +.. warning:: When using site-to-site IPsec with VTI interfaces, + be sure to disable route autoinstall + +.. code-block:: none + + set vpn ipsec options disable-route-autoinstall + +More details about the IPsec and VTI issue and option disable-route-autoinstall +https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july + +The root cause of the problem is that for VTI tunnels to work, their traffic +selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even +though actual routing decision is made according to netfilter marks. Unless +route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a +default route through the VTI peer address, which makes all traffic routed +to nowhere. + .. _RFC2003: https://tools.ietf.org/html/rfc2003 .. _RFC2473: https://tools.ietf.org/html/rfc2473 |