[strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10

G. B. gawd0wns at hotmail.com
Wed Sep 18 04:24:15 CEST 2013

Strongswan (v5.0.4) is running on my gateway.  Tcpdump is clearly showing the packets making their way to the client (on my wan and lan), though I do not see anything coming back in return.  I don't think the packets are being filtered on the way to the client device or back; I connected the device to my wifi network and experience the same issues.  I currently have the following firewall rules enabled:

iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT

when the tunnel comes up, two more entries are added:

ACCEPT     all  --       policy match dir in pol ipsec reqid 1 proto ipv6-crypt
ACCEPT     all  --          policy match dir out pol ipsec reqid 1 proto ipv6-crypt

Why did strongswan insert these rules and what do they mean?  Neither my client device or my strongswan server are on the ip range.  I have no idea where strongswan is getting this 67.xxx network range.  Is this correct?   

> Subject: Re: [strongSwan] FW:  ikev2 vpn using PKI auth with a Blackberry Z10
> From: martin at strongswan.org
> To: gawd0wns at hotmail.com
> CC: users at lists.strongswan.org
> Date: Mon, 16 Sep 2013 09:46:05 +0200
> Hi,
> > client device ( connect to the server (,
> > LAN ip- via public key authentication, and to have access
> > to the LAN ( behind the server.  [...] I cannot ping
> > between the host and client, or reach the subnet behind the host. 
> > There are no errors when connecting, and I am issued a virtual ip
> > (
> I assume that the VPN client has a route to the host you ping. But does
> the host in your LAN has a route to the client, i.e. does it know where
> is?
> If the IPsec gateway is not your default gateway, you'll have to install
> a route on each LAN host for the subnet.
> Alternatively you might consider assigning unused addresses from
> to the clients, statically or using the dhcp plugin.
> Then the farp plugin on your IPsec gateway could take care of responding
> to ARP responses on behalf of the IPsec clients.
> If that all does not help, you should run a network sniffer to see where
> your pings gets lost. Also, make sure IP forwarding is enabled on the
> IPsec gateway.
> Regards
> Martin
> [1]http://wiki.strongswan.org/projects/strongswan/wiki/FARPPlugin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130918/9ec95bfa/attachment.html>

More information about the Users mailing list