[strongSwan] no traffic without promisc mode

Denis Zinevich link at ngc.net.ua
Sat Dec 13 18:33:41 CET 2014


I've made test setup and was happy with it, it was on vmware virtual machine. When I did same on metal servers - I found that client connects successfully but traffic do not pass vpn gateway.
While trying to debug issue I used tcpdump and noticed that when I do "tcpdump -ni br0" traffic can pass through gateway.
Finally via "netstat -i" I found that on virtual machine br0 bridge iface by default is in promisc mode, while on hardware machines - no. Enabling/disabling promisc mode on metal server confirmed this. So question is: is promisc mode mandatory for ipsec to work or I'm missing something ? If it's mandatory why strongswan started do not put iface in promisc mode ? Or this is bridging nuance ?
Spent some time checking documentation but didn't find any answers yet.
Thanks in advance.


More information about the Users mailing list