I'm load testing a kernel mode IPsec setup. When IKE SAs renegotiate one or two IP packets get sent on the default route but after the tunnel is back up the TCP connection remains stuck on the default route by-passing xfrm policy until the TCP connection closes from retransmission failures. Ping is not affected the same way. It uses the tunnel as soon as a new child SA is up (even while TCP is broken). The next TCP connection uses the tunnel immediately. What can I do to fix this? Things I've tried that did not work: - conntrack -D - iptables -t raw ... -j NOTRACK # have verified the connections never appear in conntrack state - ip route cache flush # while a connection is stuck on the wrong path Kernel is 2.6.32. The TCP connections terminate on a loopback of the IPsec gateway. Ideas?