[strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute

Tobias Brunner tobias at strongswan.org
Tue Aug 31 10:51:26 CEST 2021

Hi Tiago,

> Pings from the Linux system are being seem as errors NoRoute by the tunnel. > ...
> Shunted Connections:
> Bypass LAN === PASS

The reason is most likely this passthrough IPsec policy installed by the 
bypass-lan plugin for the subnet that is reachable (according to the 
main routing table) via ip_vti1.  For a ping from to, the VTI interface won't find an IPsec policy to protect the 
packet (the passthrough policy has a higher priority), so it gets dropped.

To avoid that, either install the routes via VTI in table 220 (which is 
ignored by the bypass-lan plugin automatically), exclude the VTI 
interface explicitly via charon.plugins.bypass-lan.interfaces_ignore, or 
just disable the bypass-lan plugin completely if you don't need it.


More information about the Users mailing list