On Wed, 1 Nov 2017, Paul Tran wrote:
RP_filter is disabled but the ipsec verify shows the same message about disabling it still (rp_filter is not fully aware of IPsec and should be disabled).
The "all" or "default" options only take effect on newly created interfaces. So either manually disable each existing one, or restart the networking (or reboot?)
XfrmInStateMismatch 19
Are they not marked properly? Or routed into the VTI interface?
But there are XFRM policies in place for use - src 10.0.0.0/8 dst 192.168.0.0/16 uid 0 dir out action allow index 177 priority 2864 ptype main share any flag (0x00000000)
mark 5/0xfffffff
so if you have a route into the vti device which has a key of 5, as shown with "ip tunnel" then it should work provided the ping packet has a 10.* source ip to 192.168.*.*. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
