IPsec: Disable XFRM policy lookup for VTI devices

author Michael Tremer <michael.tremer@ipfire.org>

Thu, 14 Jan 2021 18:54:03 +0000 (18:54 +0000)

committer Michael Tremer <michael.tremer@ipfire.org>

Mon, 18 Jan 2021 13:05:10 +0000 (13:05 +0000)
author Michael Tremer <michael.tremer@ipfire.org>
Thu, 14 Jan 2021 18:54:03 +0000 (18:54 +0000)
committer Michael Tremer <michael.tremer@ipfire.org>
Mon, 18 Jan 2021 13:05:10 +0000 (13:05 +0000)
diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces

index 2546f8927d091afcb454ebf347a1689cb68612ff..f0983dbdc37b5bee5844b4510e7d1a74dc86cde5 100644 (file)
--- a/src/scripts/ipsec-interfaces
+++ b/src/scripts/ipsec-interfaces
@@ -228,6 +228,11 @@ main() {
                         ip addr flush dev "${intf}"
                         ip addr add "${interface_address}" dev "${intf}"
  
+                       # Disable IPsec policy lookup for VTI
+                       if [ "${interface_mode}" = "vti" ]; then
+                               sysctl -qw "net.ipv4.conf.${intf}.disable_policy=1"
+                       fi
+
                         # Set MTU
                         ip link set dev "${intf}" mtu "${interface_mtu}"
author	Michael Tremer <michael.tremer@ipfire.org>
	Thu, 14 Jan 2021 18:54:03 +0000 (18:54 +0000)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Mon, 18 Jan 2021 13:05:10 +0000 (13:05 +0000)