Hello, By default, the "charon.install_routes" is set to value "yes". I don't really understand why it is the default behavior? The packets are to be processed by the IPsec stack before being processed by the routing table, right? I'm running a FreeBSD system, maybe Linux's netfilter has a different behavior? Best Regards, Emeric