Hi Brian, Your traffic selectors look strange, left implies the source IP XFRM will see and right implies the destination IP XFRM will see in order to know if it has to transform and encrypt that IP packet.
Can you tell us the existing subnets in both sites? Site 1 with static IP has x.x.x.x subnet Site 2 with dynamic IP has x.x.x.x subnet Also, what are those two /30 networks for? is that needed to go inside the tunnel as well? On Thu, Feb 28, 2019 at 5:10 AM Brian Topping <brian.topp...@gmail.com> wrote: > > VTI devices won't change anything. You can't use transport mode with > > any IPs other than those of the endpoints (i.e. it doesn't work with > > virtual IPs or arbitrary subnets - you have to use tunnel mode for that). > > Got it, thanks Tobias. But the logs say `06[IKE] not using transport mode, > not host-to-host` and the SADB modes are all `tunnel`, so the stack appears > to have made up for my error. > > Or has it? >
