Hi, all. I don't understand why i need to create dir out policy for transit ipsec traffic?
For example(conf from 192.168.77.1; it acts as a gateway between world and private network behind 192.168.77.35): ip xfrm policy add src 192.168.77.35 dst 0.0.0.0/0 dir fwd tmpl src 192.168.77.35 dst 192.168.77.1 proto esp reqid 1 mode tunnel ip xfrm policy add src 0.0.0.0/0 dst 192.168.77.35 dir fwd tmpl src 192.168.77.1 dst 192.168.77.35 proto esp reqid 2 mode tunnel doesn't work. But: ip xfrm policy add src 192.168.77.35 dst 0.0.0.0/0 dir fwd tmpl src 192.168.77.35 dst 192.168.77.1 proto esp reqid 1 mode tunnel ip xfrm policy add src 0.0.0.0/0 dst 192.168.77.35 dir out tmpl src 192.168.77.1 dst 192.168.77.35 proto esp reqid 2 mode tunnel works well. May be anybody can help me with this? Thanks! -- Олег Неманов (Oleg Nemanov)
