<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Thank<br>
      <br>
      I added<br>
      reinject=ipsec1-ipsec2 (on forecaast.conf on ipsec1)<br>
      <title>Konsole output</title>
      <title>Konsole output</title>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      reinject=ipsec2-ipsec1 (on forecaast.conf on ipsec2)<br>
      <br>
      And get the same result. Can't see multicast over the ipsec
      tunnel.<br>
      <br>
      <br>
      <br>
      <br>
      <br>
      Le 15/07/2015 15:13, Noel Kuntze a écrit :<br>
    </div>
    <blockquote cite="mid:55A65C5F.7060102@familie-kuntze.de"
      type="cite">
      <pre wrap="">
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

You need to set charon.plugins.forecast.reinject to the conn name that you want to inject the packets into.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 15.07.2015 um 14:42 schrieb Joyce LAMBERT:
</pre>
      <blockquote type="cite">
        <pre wrap="">Hi all,

I to get multicast workiing over IPsec.

For this I have create one  test environnement with 3 virtu?al machines

ipsec1 (10.0.1.2/24) <=> (10.0.1.1/24) Router (10.0.2.1) <=>  ipsec2 (10.0.2.2)

Router is also connected to internet

An Ipsec tunnel in up between Ipsec1 and Ipsec2

I used a home compiled 5.3 version of Strongswan with forcast module Enable on debian 8.

IPsec1 and Ipsec2 can ping themself. With TCPdump on router I see that traffic are ESP UDP-Encap

Multicast IP are configure on right and left for the both IPSec server and forcast module loaded. But If I try to ping 224.0.0.5, packet go outside the tunnel without beeing encapsulated.
Do you find something wrong on my configuration file? or Something I forget to configure on ipsec virtual machine ?

Thank you

Configuration IPsec1:
----------------------------
ipsec.conf:
Konsole output config setup
conn %default
      ikelifetime=60m
      keylife=20m
      rekeymargin=3m
      keyingtries=1
      authby=secret
      keyexchange=ikev2
      mobike=yes
Konsole output conn ipsec1-ipsec2
      left=10.0.1.2
      leftsubnet=224.0.0.0/4,10.0.1.2/32
      leftid=@ipsec1
      leftfirewall=yes
      right=10.0.2.2
      rightfirewall=yes
      rightsubnet=%dynamic,224.0.0.0/4,10.0.2.2/32
      rightid=@ipsec2
      auto=start
      rightfirewall=yes
      type=tunnel
      mark=%unique
      forceencaps=yes

Konsole output /etc/strongswan.d/charon/forecast.conf
forecast {
     groups=224.0.0.1,224.0.0.5,224.0.0.6
     interface=eth0
     load = yes
}

Configuration IPsec2:
----------------------------
ipsec.conf:
config setup
conn %default
      ikelifetime=60m
      keylife=20m
      rekeymargin=3m
      keyingtries=1
      authby=secret
      keyexchange=ikev2
      mobike=yes
conn ipsec2-ipsec1
      left=10.0.2.2
      leftsubnet=224.0.0.0/4,10.0.2.2/32
      leftid=@ipsec1
      leftfirewall=yes
      right=10.0.1.2
      rightfirewall=yes
      rightsubnet=%dynamic,224.0.0.0/4,10.0.1.2/32
      rightid=@ipsec2
      auto=start
      rightfirewall=yes
      type=tunnel
      mark=%unique
      forceencaps=yes

/etc/strongswan.d/charon/forecast.conf
forecast {
     groups=224.0.0.1,224.0.0.5,224.0.0.6
     interface=eth0
     load = yes
}




_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a>
</pre>
      </blockquote>
      <pre wrap="">
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVplxdAAoJEDg5KY9j7GZYpaoP/R6NLAuSRh4atWWoM+Ewx8Pr
xHwddlFTXSnCZ4YYd+CBztrCbrYfEygha5U0ZuLGC3AJBPxd0Mbtc0pgLyJpz5gs
nIik7+b5HG8SL0MaxQwsWFPCChuUVPKbRn0xMt6vAh/yYgKKXpTegN4eQHLuraSz
CyPYSdvIx0g2u66cuCK/mFWjAkIFVJ4DwnFPawcryXE5zTqhH/6c+ItGXvzG2YTU
o12geJUnJK8Ipo894COoJvHUzMWVYupKZWLOxXBtlYXsrLxfHnDB5xfE3niuCyx0
9blsejNa8YJLrVKJw7A+LNEExFpv8RiXOJ4svBnjAHFe7PSMSYh0oIkqoia+cD99
3vRlCribOg2pRRvpcIFR7Hf/xggAFvwhYq/mTBkqodPqZ8E8wiKBRn4H/hkWMZzd
vDIABFSUTZR1Psd4K5B0PmBd7udl/Xt/HwRoAKJAe2LoOsxF/NRQJZPX3CMtCSRZ
miYLsmMNf3NypkKHEVa/evVJf2nlsvtFDzICWW04KQlYM3uxUz23zw5NU9HWKc4C
iI7WO1GsCcf7Tfsd+Y4+Nb9qaVcu86r2UhrIvvMy5U8NDdRzKVrhykUBHdvX+yDe
4qItv2qcOekmR9ybcPen5sttPNt8SJTmLoIseSBxU9lH/vFWtROK3/458yTkqSjN
LQfmitIWpTFDpY1K6NHX
=T01v
-----END PGP SIGNATURE-----

</pre>
    </blockquote>
    <br>
  </body>
</html>