Hi, After several days, I finally have a configuration which force all the traffic from a specific user to be routed from a VPN via a vti interface.
After creating the vti interface and establishing the different route, I can successfully check if the traffic is currently routed using the following commands: sudo -u vpn -i -- curl ipinfo.io ping -I vti0 www.google.com Unfortunately, after a period d of time, it is no more working and I can see several error packets on the vti interface. several minute later, connection is established again with the VPN but with a new connection (IP has changed). It seems this issue occurs after "sending keep alive" from IKE. Is something missing or wrong in my ipsec.conf? Thanks for your help, Gilles /etc/ipsec.conf > config setup > charondebug="ike 2, knl 3, cfg 0" > conn %default > ### Key Exchange > keyexchange=ikev2 > ike=aes256-sha256-ecp384 # Algorithms used for > the connection [phase1/ISAKMP SA] > esp=aes256-sha256-ecp384,aes256-sha256 # Algorithms > offered/accepted for a phase2 negotiation > conn VPN > dpdaction=restart > leftupdown=/etc/ipsec.script.sh > left=%defaultroute > leftsourceip=%config4 > leftauth=eap-mschapv2 > eap_identity=gprintemps > right=free-nl.hide.me > rightauth=pubkey > rightid=%any > rightsubnet=0.0.0.0/0 > auto=start > mark=2 /etc/ipsec.script.sh > set -o nounset > set -o errexit > VPN_USER="vpn" > VTI_INTERFACE="vti0" > case "${PLUTO_VERB}" in > up-client) > ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote > "${PLUTO_PEER}" mode vti \ > okey "${PLUTO_MARK_OUT%%/*}" ikey > "${PLUTO_MARK_IN%%/*}" > ip link set "${VTI_INTERFACE}" up > sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1" > sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2" > ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}" > if [[ `ip rule list | grep -c 0x1` == 0 ]]; then > ip rule add from all fwmark 0x1 lookup $VPN_USER > fi > # Launch routing script > /etc/ipsec.route.sh > ;; > down-client) > ip tunnel del "${VTI_INTERFACE}" > ;; > esac /etc/ipsec.route.sh > export TABLE_ID="vpn" > export VPN_USER="vpn" > export VTI_INTERFACE="vti0" > export LOCAL_IP="10.211.55.3" > > # Flush iptables rules > iptables -F -t nat > iptables -F -t mangle > iptables -F -t filter > # Mark packets from $VPN_USER > iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark > iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner > $VPN_USER -j MARK --set-mark 0x1 > iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1 > iptables -t mangle -A OUTPUT -j CONNMARK --save-mark > # Deny $VPN_USER to access other interfaces than lo > # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP > # Allow $VPN_USER to access lo and VPN interfaces > iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT > iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j > ACCEPT > > # Allow response from $VPN_INTERFACE > iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j > ACCEPT > # Masquarade packets on $VPN_INTERFACE > iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE > # Routing rules > GATEWAY=$(ifconfig $VTI_INTERFACE | > egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | > egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail > -n1) > ip route replace default via $GATEWAY table $TABLE_ID > ip route append default via 127.0.0.1 dev lo table $TABLE_ID > ip route flush cache