[strongSwan] Ping is not working after establishing a tunnel in strongswan

SaRaVanAn saravanan.nagarajan87 at gmail.com
Mon Apr 16 15:25:23 CEST 2012

Hi Tobias,
  Thanks for your nice reply. I get back on you for further doubts on this.

  Saravanan N

On Mon, Apr 16, 2012 at 2:50 PM, Tobias Brunner <tobias at strongswan.org>wrote:

> Hi Saravanan,
> > I have established a VPN tunnel between GW and VPN server using
> > Strongswan.
> Is the tunnel between those two hosts intended as host-host tunnel or as
> host-net tunnel?  What did you configure for left|rightsubnet?
> If your SPD entries are any indication it seems you configured
> rightsubnet= on GW.  That is, you end up with this outbound
> IPsec policy:
> >[any][any] any
> >    out prio high + 1073739901 ipsec
> >    ...
> Which means that any packet leaving the host with a source address of
> will be sent into this tunnel.
> Now you'd assume that this won't apply for a ping sent from
> to, but if you are using IKEv2 a source
> route is installed which will force as source for any packets
> sent from GW (i.e. also for the ICMP replies).  This route is installed
> in routing table 220 by default (which is created with a priority of
> 220).  The table and/or priority can be changed with the
> charon.routing_table and charon.routing_table_prio strongswan.conf
> options, respectively (or with the respective ./configure arguments).
> To prevent the daemon from installing these routes altogether you can
> set charon.install_routes=no in strongswan.conf.
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120416/fa4cc3e6/attachment.html>

More information about the Users mailing list