```charon {
install_routes = 0
}```
Must be added to a `/etc/strongswan.d/` configuration file or VTI intended traffic is sent unencrypted over the default route.
I'm unsure how this affects non-VTI tunnels or if it can be specifically targeted at VTI tunnels.
Before change (sniff from middle routers shows unencrypted ICMP):
```
rt01# ping 172.16.37.2
PING 172.16.37.2 (172.16.7.2) 56(84) bytes of data.
From 10.7.20.254: icmp_seq=2 Redirect Host(New nexthop: 10.7.20.252)
From 10.7.20.254: icmp_seq=3 Redirect Host(New nexthop: 10.7.20.252)
rt01# traceroute 172.16.37.2
traceroute to 172.16.37.2 (172.16.37.2), 30 hops max, 60 byte packets
1 10.7.20.254 (10.7.20.254) 0.449 ms 0.411 ms 0.385 ms^C
[edit]
rt01# run sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
S>* 0.0.0.0/0 [1/0] via 10.7.20.254, eth1
...
C>* 172.16.37.0/30 is directly connected, vti0 <--- IPsec VTI
...
```
After change:
```
rt01# sudo sh -c "echo 'charon {install_routes = 0}' > /etc/strongswan.d/charon_vti.conf"
[edit]
rt01# cat /etc/strongswan.d/charon_vti.conf
charon {install_routes = 0}
[edit]
rt01# run restart vpn
Restarting IPsec process..
rt01# ping 172.16.37.2
PING 172.16.37.2 (172.16.37.2) 56(84) bytes of data.
64 bytes from 172.16.37.2: icmp_seq=1 ttl=64 time=74.9 ms
64 bytes from 172.16.37.2: icmp_seq=2 ttl=64 time=77.9 ms
```