From ee78f3ffb639fd57df0d1aa35ec4ecf64b6f1ec0 Mon Sep 17 00:00:00 2001
From: goodNETnick <pknet@ya.ru>
Date: Wed, 13 Oct 2021 22:24:30 +1000
Subject: Added IPsec VTI warning

---
 docs/configuration/interfaces/tunnel.rst | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst
index 43c217a0..018626fc 100644
--- a/docs/configuration/interfaces/tunnel.rst
+++ b/docs/configuration/interfaces/tunnel.rst
@@ -229,6 +229,23 @@ Results in:
       description "Description"
   }
 
+.. warning:: When using site-to-site IPsec with VTI interfaces,
+   be sure to disable route autoinstall
+
+.. code-block:: none
+  
+  set vpn ipsec options disable-route-autoinstall
+
+More details about the IPsec and VTI issue and option disable-route-autoinstall
+https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
+
+The root cause of the problem is that for VTI tunnels to work, their traffic 
+selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even 
+though actual routing decision is made according to netfilter marks. Unless 
+route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a 
+default route through the VTI peer address, which makes all traffic routed 
+to nowhere.
+
 
 .. _RFC2003: https://tools.ietf.org/html/rfc2003
 .. _RFC2473: https://tools.ietf.org/html/rfc2473
-- 
cgit v1.2.3