[strongSwan] VTI's as initiator?

[Ruel, Ryan]

Tobias,

With a combination of setting the mark correctly and setting the traffic selectors (I ended up using 0.0.0.0/0), I am now able to pass traffic through the VTI.

Thanks for your help.

/Ryan

On 7/28/16, 10:05 AM, "Tobias Brunner" <tobias at strongswan.org> wrote:

    Hi Ryan,
    
    > When acting as a responder, I didn’t have to do this, strongSwan seems to choose a mark value for me.
    
    Not unless you configured `mark=%unique`.
    
    > Anything else I should check?
    
    Yes, the traffic selectors.  As I wrote on [1] the traffic you route
    into a VTI device has to match the negotiated IPsec policies.  Since you
    haven't specified left|rightsubnet the TS will default to left|right.
    Since you want to route traffic to 10.1.1.0/24 you have to use at least
    `rightsubnet=10.1.1.0/24`.
    
    Regards,
    Tobias
    
    [1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN