[strongSwan] Outgoing traffic bypass VTI interface

Cao, Jean Jean.Cao at gd-ms.ca
Mon Sep 11 20:01:17 CEST 2017

I am setting up Route Based VPN.  The setup is as this:

Host-A --- Gateway-A --- Router --- Gateway-B --- Host-B

I have strongswan set up on Gateway-A and Gateway B.  Without creating Route Based VPN, the

We have created VTI on both gateways.  We could ping between host.  However, we do notice that at the gateway, the outgoing traffic is bypassing the vti interface.  But incoming traffic from the remote gateway is received at the vti interface.

For example, when ping from Host-A to Host-B, the ping request arrives at Gateway-A and is forwarded to Gateway B through Router.  However, the ping request is not going through vti, instead, it is sent through physical interface in encrypted packets.

At Gateway B, the physical interface sees the encrypted packets, and the vti interface sees clear packets of ping request.  Similarly, the ping echo packets from Host-B bypass the vti at Gateway-B, and out through the physical interface as encrypted packets.

At Gateway A, the ping echo packets are received at the vti successfully.

I couldn't figure out what is the cause of this problem.  Can anyone give me some hints?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170911/422b11a4/attachment.html>

More information about the Users mailing list