Tobias, With a combination of setting the mark correctly and setting the traffic selectors (I ended up using 0.0.0.0/0), I am now able to pass traffic through the VTI.
Thanks for your help. /Ryan On 7/28/16, 10:05 AM, "Tobias Brunner" <[email protected]> wrote: Hi Ryan, > When acting as a responder, I didn’t have to do this, strongSwan seems to choose a mark value for me. Not unless you configured `mark=%unique`. > Anything else I should check? Yes, the traffic selectors. As I wrote on [1] the traffic you route into a VTI device has to match the negotiated IPsec policies. Since you haven't specified left|rightsubnet the TS will default to left|right. Since you want to route traffic to 10.1.1.0/24 you have to use at least `rightsubnet=10.1.1.0/24`. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
