summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/configuration/interfaces/vti.rst8
1 files changed, 7 insertions, 1 deletions
diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst
index 7816529c..c5f843a5 100644
--- a/docs/configuration/interfaces/vti.rst
+++ b/docs/configuration/interfaces/vti.rst
@@ -30,4 +30,10 @@ Results in:
set vpn ipsec options disable-route-autoinstall
More details about the IPsec and VTI issue and option disable-route-autoinstall:
-https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july \ No newline at end of file
+https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
+
+The root cause of the problem is that for VTI tunnels to work, their traffic selectors
+have to be set to 0.0.0.0/0 for traffic to match the tunnel, even though actual routing
+decision is made according to netfilter marks. Unless route insertion is disabled
+entirely, StrongSWAN thus mistakenly inserts a default route through the
+VTI peer address, which makes all traffic routed to nowhere. \ No newline at end of file