[strongSwan] Ping is not working after establishing a tunnel in strongswan

SaRaVanAn saravanan.nagarajan87 at gmail.com
Fri May 11 13:12:56 CEST 2012 

Hi Tobais,
   I added "charon.install_routes = no" in strongswan.conf , but still the
routes are still getting installed.

Example:
charon {
    # number of worker threads in charon
    threads = 16
    charon.install_routes = no

}

1) When strongswan.conf will be loaded?
2) Will it be loaded,when we do "ipsec restart" ?
3) Is there any syntax error in the above example which makes thing not
working?

Regards,
Saravanan N

On Mon, Apr 16, 2012 at 6:55 PM, SaRaVanAn
<saravanan.nagarajan87 at gmail.com>wrote:

> Hi Tobias,
>   Thanks for your nice reply. I get back on you for further doubts on this.
>
>   Regards,
>   Saravanan N
>
> On Mon, Apr 16, 2012 at 2:50 PM, Tobias Brunner <tobias at strongswan.org>wrote:
>
>> Hi Saravanan,
>>
>> > I have established a VPN tunnel between GW and VPN server using
>> > Strongswan.
>>
>> Is the tunnel between those two hosts intended as host-host tunnel or as
>> host-net tunnel?  What did you configure for left|rightsubnet?
>>
>> If your SPD entries are any indication it seems you configured
>> rightsubnet=0.0.0.0/0 on GW.  That is, you end up with this outbound
>> IPsec policy:
>>
>> > 50.1.1.239[any] 0.0.0.0/0[any] <http://0.0.0.0/0%5Bany%5D> any
>> >    out prio high + 1073739901 ipsec
>> >    ...
>>
>> Which means that any packet leaving the host with a source address of
>> 50.1.1.239 will be sent into this tunnel.
>> Now you'd assume that this won't apply for a ping sent from
>> 172.31.114.230 to 172.31.114.231, but if you are using IKEv2 a source
>> route is installed which will force 50.1.1.239 as source for any packets
>> sent from GW (i.e. also for the ICMP replies).  This route is installed
>> in routing table 220 by default (which is created with a priority of
>> 220).  The table and/or priority can be changed with the
>> charon.routing_table and charon.routing_table_prio strongswan.conf
>> options, respectively (or with the respective ./configure arguments).
>> To prevent the daemon from installing these routes altogether you can
>> set charon.install_routes=no in strongswan.conf.
>>
>> Regards,
>> Tobias
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120511/dc4090b2/attachment.html>

More information about the Users mailing list