[strongSwan] help: ping behaviour when tunnel is not established

Tobias Brunner tobias at strongswan.org
Wed Apr 18 12:26:37 CEST 2012


Hi Sanjay,

> When a connection is configured in /etc/ipsec.conf but the left side of
> the connection is not responding (say left is unreachable) I see the
> ping behavior as below
> 
> root at ffd-ipsec-189 sanjay]# ping 10.204.74.188
> 
> basically ping is stuck or blocked.

That's due to auto=route.  The latter installs a trap policy in the
kernel which defines that traffic to your target host *must* be
encrypted.  So unless the IPsec SA can be established those packets are
silently swallowed by the Linux kernel (it won't attempt to send them
unencrypted).

> Now if I do not have a connection configured in the /etc/ipsec.conf I
> see that the ping responds like this
> 
> root at ffd-ipsec-189 sanjay]# ping 10.204.74.188
> PING 10.204.74.188 (10.204.74.188) 56(84) bytes of data.
> From 10.204.74.189 icmp_seq=2 Destination Host Unreachable

What ping receives is basically an ICMP response generated by your own
host when it fails to successfully do an ARP lookup for your destination
address, which is in the same subnet (it that were not the case some
intermediate router would send such a response).  Since auto=route
prevents the packet from being sent (no ARP lookup will be done) you
won't get any such response.

> What settings can be done for a timeout to occurs to that a program that
> is trying to reach an ip may not be blocked forever if ipsec SA cannot
> be established ?

Well, that's up to the application trying to communicate with your
remote host.  For ping you can try the -w option.

Regards,
Tobias




More information about the Users mailing list