[strongSwan] VTI's as initiator?
Tobias Brunner
tobias at strongswan.org
Thu Jul 28 16:05:48 CEST 2016
Hi Ryan,
> When acting as a responder, I didn’t have to do this, strongSwan seems to choose a mark value for me.
Not unless you configured `mark=%unique`.
> Anything else I should check?
Yes, the traffic selectors. As I wrote on [1] the traffic you route
into a VTI device has to match the negotiated IPsec policies. Since you
haven't specified left|rightsubnet the TS will default to left|right.
Since you want to route traffic to 10.1.1.0/24 you have to use at least
`rightsubnet=10.1.1.0/24`.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
More information about the Users
mailing list