[Swan] VTI issue to SRX unable to send traffic through the interface

[Paul Wouters]

On Wed, 1 Nov 2017, Paul Tran wrote:

> RP_filter is disabled but the ipsec verify shows the same message about disabling it still (rp_filter is not fully
> aware of IPsec and should be disabled).

The "all" or "default" options only take effect on newly created
interfaces. So either manually disable each existing one, or
restart the networking (or reboot?)

> XfrmInStateMismatch             19

Are they not marked properly? Or routed into the VTI interface?

> 
> But there are XFRM policies in place for
> use -
>      src 10.0.0.0/8 dst 192.168.0.0/16 uid 0
>         dir out action allow index 177 priority 2864 ptype main share any flag  (0x00000000)

>         mark 5/0xfffffff

so if you have a route into the vti device which has a key of 5, as
shown with "ip tunnel" then it should work provided the ping packet
has a 10.* source ip to 192.168.*.*.

Paul