[strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute
Tobias Brunner
tobias at strongswan.org
Tue Aug 31 10:51:26 CEST 2021
Hi Tiago,
> Pings from the Linux system are being seem as errors NoRoute by the tunnel. > ...
> Shunted Connections:
> Bypass LAN 10.10.10.0/30: 10.10.10.0/30 === 10.10.10.0/30 PASS
The reason is most likely this passthrough IPsec policy installed by the
bypass-lan plugin for the subnet that is reachable (according to the
main routing table) via ip_vti1. For a ping from 10.10.10.2 to
10.10.10.1, the VTI interface won't find an IPsec policy to protect the
packet (the passthrough policy has a higher priority), so it gets dropped.
To avoid that, either install the routes via VTI in table 220 (which is
ignored by the bypass-lan plugin automatically), exclude the VTI
interface explicitly via charon.plugins.bypass-lan.interfaces_ignore, or
just disable the bypass-lan plugin completely if you don't need it.
Regards,
Tobias
More information about the Users
mailing list