[strongSwan] Ping is not working after establishing a tunnel in strongswan

Tobias Brunner tobias at strongswan.org
Mon Apr 16 11:20:57 CEST 2012


Hi Saravanan,

> I have established a VPN tunnel between GW and VPN server using
> Strongswan.

Is the tunnel between those two hosts intended as host-host tunnel or as
host-net tunnel?  What did you configure for left|rightsubnet?

If your SPD entries are any indication it seems you configured
rightsubnet=0.0.0.0/0 on GW.  That is, you end up with this outbound
IPsec policy:

> 50.1.1.239[any] 0.0.0.0/0[any] any
>    out prio high + 1073739901 ipsec
>    ...

Which means that any packet leaving the host with a source address of
50.1.1.239 will be sent into this tunnel.
Now you'd assume that this won't apply for a ping sent from
172.31.114.230 to 172.31.114.231, but if you are using IKEv2 a source
route is installed which will force 50.1.1.239 as source for any packets
sent from GW (i.e. also for the ICMP replies).  This route is installed
in routing table 220 by default (which is created with a priority of
220).  The table and/or priority can be changed with the
charon.routing_table and charon.routing_table_prio strongswan.conf
options, respectively (or with the respective ./configure arguments).
To prevent the daemon from installing these routes altogether you can
set charon.install_routes=no in strongswan.conf.

Regards,
Tobias




More information about the Users mailing list