[strongSwan] Ping is not working after establishing a tunnel in strongswan
saravanan.nagarajan87 at gmail.com
Fri May 11 13:12:56 CEST 2012
I added "charon.install_routes = no" in strongswan.conf , but still the
routes are still getting installed.
# number of worker threads in charon
threads = 16
charon.install_routes = no
1) When strongswan.conf will be loaded?
2) Will it be loaded,when we do "ipsec restart" ?
3) Is there any syntax error in the above example which makes thing not
On Mon, Apr 16, 2012 at 6:55 PM, SaRaVanAn
<saravanan.nagarajan87 at gmail.com>wrote:
> Hi Tobias,
> Thanks for your nice reply. I get back on you for further doubts on this.
> Saravanan N
> On Mon, Apr 16, 2012 at 2:50 PM, Tobias Brunner <tobias at strongswan.org>wrote:
>> Hi Saravanan,
>> > I have established a VPN tunnel between GW and VPN server using
>> > Strongswan.
>> Is the tunnel between those two hosts intended as host-host tunnel or as
>> host-net tunnel? What did you configure for left|rightsubnet?
>> If your SPD entries are any indication it seems you configured
>> rightsubnet=0.0.0.0/0 on GW. That is, you end up with this outbound
>> IPsec policy:
>> > 188.8.131.52[any] 0.0.0.0/0[any] <http://0.0.0.0/0%5Bany%5D> any
>> > out prio high + 1073739901 ipsec
>> > ...
>> Which means that any packet leaving the host with a source address of
>> 184.108.40.206 will be sent into this tunnel.
>> Now you'd assume that this won't apply for a ping sent from
>> 172.31.114.230 to 172.31.114.231, but if you are using IKEv2 a source
>> route is installed which will force 220.127.116.11 as source for any packets
>> sent from GW (i.e. also for the ICMP replies). This route is installed
>> in routing table 220 by default (which is created with a priority of
>> 220). The table and/or priority can be changed with the
>> charon.routing_table and charon.routing_table_prio strongswan.conf
>> options, respectively (or with the respective ./configure arguments).
>> To prevent the daemon from installing these routes altogether you can
>> set charon.install_routes=no in strongswan.conf.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users