[Swan] Site-to-site with public member addresses, routing trouble

[Paul Wouters]

On Wed, 6 Jul 2016, Jesse Butcher wrote:

>> You do not need to manually change any routing for IPsec to work.
>
> I'm aware of this in principle but the VPN endpoints aren't the default
> gateway for the member hosts and the actual default gateway is unaware
> of the tunnel.

If that is the case, you should have proper routing active on your
network regardless of the whether or not the tunnel is up or down.

I'm not sure what your problem is. You can try "ipsec verify" which
can identify some problems such as rp_filter.

Paul