<div dir="ltr"><div>Hi Noel,<br></div>   Thank you for the help. <br><div class="gmail_extra"><br>    Make sure you disabled XFRM on the VTI interface.<br>
<span class=""><br></span></div><div class="gmail_extra"><span class="">I suppose you meant disable_policy. disabling xfrm disable enryption altogether.<br></span></div><div class="gmail_extra"> vti.disable_policy=1 disables policy check after decryption and traffic is fine.<br><br></div><div class="gmail_extra">My statement  "<span class="">I did not understand the intent of policy check after decryption."<br></span></div><div class="gmail_extra"><span class="">was vague. I actually meant why policy check when we know the packet is<br></span></div><div class="gmail_extra"><span class="">meant for VTI and VTI is most of the times used with any to any selectors.<br></span></div><div class="gmail_extra"><span class="">I intend to say that for vti policy check should be disabled by default and if<br></span></div><div class="gmail_extra"><span class="">required it can be turned on anyway. This can be easily achieved by setting<br></span></div><div class="gmail_extra"><span class="">disable_policy during vti creation either in kernel or user space(sysctl).<br><br></span></div><div class="gmail_extra"><span class="">Thanks for your help.<br><br></span></div><div class="gmail_extra"><span class="">-Shashidhar<br></span></div><div class="gmail_extra"><div class="gmail_quote">On Wed, Oct 7, 2015 at 3:42 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Make sure you disabled XFRM on the VTI interface.<br>
<span class=""><br>
<br>
> I did not understand the intent of policy check after decryption.<br>
</span>To check if the encapsulated traffic is actually allowed to be tunneled.<br>
- --<br>
<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iQIcBAEBCAAGBQJWFPAHAAoJEDg5KY9j7GZYVwUP/A+J/WYQD+bp+tOo5rjh0m2m<br>
eWhGeAc/jbzsftHR0v1gALwAOMTK4xRNEb2BpU+o4V0U7Cp0IBjcByiWmDcZ6qqr<br>
gwX1O54kW7A/+rfiAi2Rxo2qk/8qG2w6DhS9j4CUAbCoM5HVvL5QBut7vN2eFHgC<br>
BbsJt07IklAJhxC0FjwWI2b2Y3doDVZy6SQL3PJOf5rOHXC/+Y0wRffzl7x7UcyY<br>
7INhQFQHsP4W01OKWdQcG/il2tnq0jYDa2jmq3i/Jn1RQEDOIUgPbmPdyqNlkp2+<br>
YCIRO+8tUHPsMrvMj0Qrd027Sa1ZydA0EFaXUPtRJy0sz5s+jbAnczmSaXPQJH8t<br>
t2KnRVS37ej0dJJcxCE3vexIF8QQyJFdRFxrHTQzgUgbNNdXSw3d1M/sjQwnFML1<br>
9b8kXFxhGm7ptFAfNJqzuoTwWipsdBchrPc3rLc8qYgscqO3LQ8pCGsHhkhGuk7X<br>
1NJW5fJ7GInd/nMiLhWqEbbmB5XDduNOy1d/WtRNhKYg3eRZc3d2RPILXotbh3H5<br>
eh+KP+hB/ntdSf4e+coODFsW1eAsdILt0X0YpxfKeQt3anZ9MUgHyroPI1K0Ixdq<br>
pGCyZjg4lxvGk8/IhUwdaUDhxjhlNZP1eQ1UD5svRjr4fsymVo/K3M9jXWWpz9mL<br>
LQvjKCTK1YzgW3f7D1PK<br>
=zim4<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div></div>