[strongSwan] Outgoing traffic bypass VTI interface
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Sep 13 00:27:31 CEST 2017
You probably didn't disable the installation of routes by charon.
On 11.09.2017 20:01, Cao, Jean wrote:
>
> I am setting up Route Based VPN. The setup is as this:
>
>
>
> Host-A --- Gateway-A --- Router --- Gateway-B --- Host-B
>
>
>
> I have strongswan set up on Gateway-A and Gateway B. Without creating Route Based VPN, the
>
>
>
> We have created VTI on both gateways. We could ping between host. However, we do notice that at the gateway, the outgoing traffic is bypassing the vti interface. But incoming traffic from the remote gateway is received at the vti interface.
>
>
>
> For example, when ping from Host-A to Host-B, the ping request arrives at Gateway-A and is forwarded to Gateway B through Router. However, the ping request is not going through vti, instead, it is sent through physical interface in encrypted packets.
>
>
>
> At Gateway B, the physical interface sees the encrypted packets, and the vti interface sees clear packets of ping request. Similarly, the ping echo packets from Host-B bypass the vti at Gateway-B, and out through the physical interface as encrypted packets.
>
>
>
> At Gateway A, the ping echo packets are received at the vti successfully.
>
>
>
> I couldn’t figure out what is the cause of this problem. Can anyone give me some hints?
>
>
>
> Thanks!
>
> Jean
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170913/7cbb7861/attachment.sig>
More information about the Users
mailing list