[strongSwan] Peer to peer apps among clients

Martin Willi martin at strongswan.org
Mon Apr 28 10:54:10 CEST 2014

Hi Mark,

> I see the encrypted ICMP echo request come into the server, and then I
> see the server send out an ARP request for the other IP on its primary
> interface.

Do you have appropriate routes installed for these clients? If not
disabled explicitly, charon should install these routes automatically
for you. On Linux, these routes are in a dedicated routing table, you
can print them using "ip route show table 220".

Given that your Internet traffic works, most likely these routes are in

>    leftcert=pw-hq.com.crt.x509.pem,pw-hq.com.crt-intermediate2.x509.pem,pw-hq.com.crt-intermediate1.x509.pem

While this might work, this is not the intended way to configure
intermediate CA certificates. You should put them in ipsec.d/cacerts,
and just reference your gateway certificate here.

>         rightsubnet=
>         rightsourceip=

Not sure how iOS handles this, but I don't think your rightsubnet is
correct. Each connecting client has a single IP on its side, and not the
full subnet. Just omit the rightsubnet option to narrow it
to the selected rightsourceip.


More information about the Users mailing list