[Swan] VTI issue to SRX unable to send traffic through the interface
Paul Wouters
paul at nohats.ca
Sat Nov 11 03:38:36 UTC 2017
On Wed, 1 Nov 2017, Paul Tran wrote:
> RP_filter is disabled but the ipsec verify shows the same message about disabling it still (rp_filter is not fully
> aware of IPsec and should be disabled).
The "all" or "default" options only take effect on newly created
interfaces. So either manually disable each existing one, or
restart the networking (or reboot?)
> XfrmInStateMismatch 19
Are they not marked properly? Or routed into the VTI interface?
>
> But there are XFRM policies in place for
> use -
> src 10.0.0.0/8 dst 192.168.0.0/16 uid 0
> dir out action allow index 177 priority 2864 ptype main share any flag (0x00000000)
> mark 5/0xfffffff
so if you have a route into the vti device which has a key of 5, as
shown with "ip tunnel" then it should work provided the ping packet
has a 10.* source ip to 192.168.*.*.
Paul
More information about the Swan
mailing list