<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Hi all,<br>
    <br>
    I to get multicast workiing over IPsec.<br>
    <br>
    For this I have create one  test environnement with 3 virtu?al
    machines<br>
    <br>
    ipsec1 (10.0.1.2/24) <=> (10.0.1.1/24) Router (10.0.2.1)
    <=>  ipsec2 (10.0.2.2)<br>
    <br>
    Router is also connected to internet<br>
    <br>
    An Ipsec tunnel in up between Ipsec1 and Ipsec2<br>
    <br>
    I used a home compiled 5.3 version of Strongswan with forcast module
    Enable on debian 8.<br>
    <br>
    IPsec1 and Ipsec2 can ping themself. With TCPdump on router I see
    that traffic are ESP UDP-Encap<br>
    <br>
    Multicast IP are configure on right and left for the both IPSec
    server and forcast module loaded. But If I try to ping 224.0.0.5,
    packet go outside the tunnel without beeing encapsulated. <br>
    Do you find something wrong on my configuration file? or Something I
    forget to configure on ipsec virtual machine ?<br>
    <br>
    Thank you<br>
    <br>
    Configuration IPsec1:<br>
    ----------------------------<br>
    ipsec.conf:<br>
    <title>Konsole output</title>
    config setup<br>
    conn %default<br>
          ikelifetime=60m<br>
          keylife=20m<br>
          rekeymargin=3m<br>
          keyingtries=1<br>
          authby=secret<br>
          keyexchange=ikev2<br>
          mobike=yes<br>
    <title>Konsole output</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    conn ipsec1-ipsec2<br>
          left=10.0.1.2<br>
          leftsubnet=224.0.0.0/4,10.0.1.2/32<br>
          leftid=@ipsec1<br>
          leftfirewall=yes<br>
          right=10.0.2.2<br>
          rightfirewall=yes<br>
          rightsubnet=%dynamic,224.0.0.0/4,10.0.2.2/32<br>
          rightid=@ipsec2<br>
          auto=start<br>
          rightfirewall=yes<br>
          type=tunnel<br>
          mark=%unique<br>
          forceencaps=yes<br>
    <br>
    <title>Konsole output</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    /etc/strongswan.d/charon/forecast.conf<br>
    forecast {<br>
         groups=224.0.0.1,224.0.0.5,224.0.0.6<br>
         interface=eth0<br>
         load = yes<br>
    }<br>
    <br>
    Configuration IPsec2:<br>
    ----------------------------<br>
    ipsec.conf:<br>
    config setup<br>
    conn %default<br>
          ikelifetime=60m<br>
          keylife=20m<br>
          rekeymargin=3m<br>
          keyingtries=1<br>
          authby=secret<br>
          keyexchange=ikev2<br>
          mobike=yes<br>
    conn ipsec2-ipsec1<br>
          left=10.0.2.2<br>
          leftsubnet=224.0.0.0/4,10.0.2.2/32<br>
          leftid=@ipsec1<br>
          leftfirewall=yes<br>
          right=10.0.1.2<br>
          rightfirewall=yes<br>
          rightsubnet=%dynamic,224.0.0.0/4,10.0.1.2/32<br>
          rightid=@ipsec2<br>
          auto=start<br>
          rightfirewall=yes<br>
          type=tunnel<br>
          mark=%unique<br>
          forceencaps=yes<br>
    <br>
    /etc/strongswan.d/charon/forecast.conf<br>
    forecast {<br>
         groups=224.0.0.1,224.0.0.5,224.0.0.6<br>
         interface=eth0<br>
         load = yes<br>
    }<br>
    <br>
    <br>
  </body>
</html>