On Fri, 5 Oct 2018, Johannes C. Schulz wrote:
$ ip route default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100 xx.yyy.zzz.vv dev vti0 scope link
I don't see a src entry here. If the source ip is not the default IP, then you're in trouble because it would use the wrong source ip to route into the VTI device, and then not match the IPsec policy. You can see problems like this by checking the errors counters in /proc/net/xfrm_stat Paul _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan