On Fri, 5 Oct 2018, Johannes C. Schulz wrote:

$ ip route                        
default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100 
xx.yyy.zzz.vv dev vti0 scope link 

I don't see a src entry here. If the source ip is not the default IP,
then you're in trouble because it would use the wrong source ip to
route into the VTI device, and then not match the IPsec policy.

You can see problems like this by checking the errors counters in
/proc/net/xfrm_stat

Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to