On Sat, Dec 22, 2018 at 06:38:57PM +0800, Lemon Lam wrote: > Thanks Steffen, but I don't think it is the case. > > I shut down VTI interface toward another VPS and GRE on top of it, > enabled the plain GRE for transport SA. It works on one end, but not for > the other end which has to leave VTI with `remote any` up. How can the > transport SA match this `remote any` VTI?
You did not show your SADB, so I can't tell exactly if this is the case. On the receive side, we do a VTI tunnel lookup first. If the received packet matches the tunnel endpoints of a VTI, we take the key from the VTI and do a SA lookup. The packet must match a tunnel mode SA and the xfrm mark of that SA must match the key we got from the VTI. If there is no such SA, the packet is dropped. In your case, with a `remote any` VTI, only the local VTI tunnel endpoint must match the src address of the received packet to match the VTI. If that's the case, you need a tunnel mode SA as described above.
