[strongSwan] no traffic without promisc mode

Denis Zinevich link at ngc.net.ua
Sun Dec 14 22:02:39 CET 2014

Made few more tests:
If I disable bridging mode (use just eth0) - everything works fine, eth0 is not in promisc mode
By default when enabling bridging eth0 is in promisc mode and br0 - no. When I enable promisc mode on br0 - traffic goes fine.
Captured packest with tcpdump -p (to avoid promisc mode set by tcpdump), so captured few pcap files (promisc on/off) checked them with wireshark - in both cases packets are totally identical (mac addresses, etc..)
However interesting thing is - when br0 is not in promisc mode, I captured packets on two ifaces - br0 and eth0. And in this case I can see responces on eth0 but not on br0. So now I'm not even sure there's problem with tunnel and not with bridge.

13.12.2014, 19:33, "Denis Zinevich" <link at ngc.net.ua>:
> Hello,
> I've made test setup and was happy with it, it was on vmware virtual machine. When I did same on metal servers - I found that client connects successfully but traffic do not pass vpn gateway.
> While trying to debug issue I used tcpdump and noticed that when I do "tcpdump -ni br0" traffic can pass through gateway.
> Finally via "netstat -i" I found that on virtual machine br0 bridge iface by default is in promisc mode, while on hardware machines - no. Enabling/disabling promisc mode on metal server confirmed this. So question is: is promisc mode mandatory for ipsec to work or I'm missing something ? If it's mandatory why strongswan started do not put iface in promisc mode ? Or this is bridging nuance ?
> Spent some time checking documentation but didn't find any answers yet.
> Thanks in advance.
> --
> Denis
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list