On 2012-02-01, Aner Perez <a...@ncstech.com> wrote: > Ok, to answer my own question, it seems like you need a non-encap > route to the network on the other side of the VPN. If you don't have > a regular route to that network, you get host unreachable responses. > > To test this, I tried adding a route for the specific network being > accessed, pointing to our default gateway. Doing this allowed the > traffic to flow through the VPN. Notice that the route I added was > not pointing to the remote VPN peer, just to our regular gateway > router to the internet. > > Next, I removed the specific route to the remote VPN network, and > added a default route pointing to our internet gateway. This also > worked and allowed traffic to flow through the VPN. > > Is this expected behavior? Do I need a static route to a remote > network before I can pass traffic to it through an IPSEC tunnel?
Yes. Without a regular route a packet doesn't get far enough up the stack to do a flow lookup.