summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/configuration/interfaces/tunnel.rst17
1 files changed, 17 insertions, 0 deletions
diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst
index 43c217a0..018626fc 100644
--- a/docs/configuration/interfaces/tunnel.rst
+++ b/docs/configuration/interfaces/tunnel.rst
@@ -229,6 +229,23 @@ Results in:
description "Description"
}
+.. warning:: When using site-to-site IPsec with VTI interfaces,
+ be sure to disable route autoinstall
+
+.. code-block:: none
+
+ set vpn ipsec options disable-route-autoinstall
+
+More details about the IPsec and VTI issue and option disable-route-autoinstall
+https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
+
+The root cause of the problem is that for VTI tunnels to work, their traffic
+selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even
+though actual routing decision is made according to netfilter marks. Unless
+route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a
+default route through the VTI peer address, which makes all traffic routed
+to nowhere.
+
.. _RFC2003: https://tools.ietf.org/html/rfc2003
.. _RFC2473: https://tools.ietf.org/html/rfc2473