<div dir="ltr"><div>Ok. Figured this out.</div><div>I am not understanding VTI interface correctly. It should be address of tunnel endpoints not address inside the tunnel.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">чт, 7 апр. 2022 г. в 22:37, Alexey Smirnov <<a href="mailto:ramyalexis@gmail.com">ramyalexis@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Got another question Tobias if you do not mind.</div><div>Got the same error as was in the thread: IPSec route based VPN - VTI interface TX Errors NoRoute</div><div>So basically the tunnel is up. I use mar_in=mark_out=10 in VTI interface (linux kernel is 3.10 so no modern interface)</div><div>The traffic looks like this:</div><div>From tunnel remote - they are coming:</div><div> net-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-192/HMAC_SHA1_96<br> installed 1608s ago, rekeying in 78953s, expires in 93432s<br> in ca18b546 (0x0000000a), 672 bytes, 8 packets<br> out 482a8752 (0x0000000a), 0 bytes, 0 packets</div><div>Not sure where they go next.</div><div>From local they are NoRoute - outgoing and no incoming</div><div>ip -s tunnel show<br>vti0: ip/ip remote 10.255.255.25 local 10.255.255.26 ttl inherit key 10<br>RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts<br> 0 0 0 0 0 0 <br>TX: Packets Bytes Errors DeadLoop NoRoute NoBufs<br> 0 0 33 0 33 0 <br></div><div>Route is simple - just the route for VTI interfaces itself</div><div>ip r</div><div><a href="http://10.255.255.24/30" target="_blank">10.255.255.24/30</a> dev vti0 scope link</div><div>If i ping - the counter just increase and i got Destination unreachable as in gude i tried to follow: <a href="https://docs.strongswan.org/strongswan-docs/5.9/features/routeBasedVpn.html" target="_blank">https://docs.strongswan.org/strongswan-docs/5.9/features/routeBasedVpn.html</a></div><div>I also consult examples again here <a href="https://www.strongswan.org/testing/testresults/route-based/net2net-vti/" target="_blank">https://www.strongswan.org/testing/testresults/route-based/net2net-vti/</a> and did not find any config statment i am missing in my configuration.<br></div><div><br></div><div>What direction should i dig for?</div><div>Thank you!<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">чт, 7 апр. 2022 г. в 16:17, Tobias Brunner <<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Alexey,<br>
<br>
> 07[CFG] looking for peer configs matching <br>
> x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]<br>
> 07[CFG] no matching peer config found<br>
> 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
> 07[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (80 bytes)<br>
> <br>
> And the question is: why no matching peer found as peers and key is in <br>
> place?<br>
<br>
The peer proposes the IP addresses as identities (it's what you see in <br>
[] in the "looking for peer configs matching ..." log message), which <br>
clearly don't match "key" (whatever that is exactly). So just remove <br>
those `id = key` lines (the default identities are the IP addresses) and <br>
associate the secret with y.y.y.y (i.e. set `id-1 = y.y.y.y` there).<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div>
</blockquote></div>