[strongSwan] no traffic without promisc mode

Noel Kuntze noel at familie-kuntze.de
Tue Dec 16 19:51:22 CET 2014

Hash: SHA256

Hello Denis,

It is not necessary to set the interface to promiscuous mode for IPsec to work. I think this is a fault in your network configuration on the host
or a side effect of the bridge. I think you should look at your bridge configuration and how your guests are assigned to it. Do you use the charon.interfaces_use or
charon.interfaces_ignore lines in strongswan.conf? Maybe they play into it. You should maybe also look at any firewall rules you have, especially NAT or similiar techniques.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 14.12.2014 um 22:02 schrieb Denis Zinevich:
> Made few more tests:
> If I disable bridging mode (use just eth0) - everything works fine, eth0 is not in promisc mode
> By default when enabling bridging eth0 is in promisc mode and br0 - no. When I enable promisc mode on br0 - traffic goes fine.
> Captured packest with tcpdump -p (to avoid promisc mode set by tcpdump), so captured few pcap files (promisc on/off) checked them with wireshark - in both cases packets are totally identical (mac addresses, etc..)
> However interesting thing is - when br0 is not in promisc mode, I captured packets on two ifaces - br0 and eth0. And in this case I can see responces on eth0 but not on br0. So now I'm not even sure there's problem with tunnel and not with bridge.
> 13.12.2014, 19:33, "Denis Zinevich" <link at ngc.net.ua>:
>> Hello,
>> I've made test setup and was happy with it, it was on vmware virtual machine. When I did same on metal servers - I found that client connects successfully but traffic do not pass vpn gateway.
>> While trying to debug issue I used tcpdump and noticed that when I do "tcpdump -ni br0" traffic can pass through gateway.
>> Finally via "netstat -i" I found that on virtual machine br0 bridge iface by default is in promisc mode, while on hardware machines - no. Enabling/disabling promisc mode on metal server confirmed this. So question is: is promisc mode mandatory for ipsec to work or I'm missing something ? If it's mandatory why strongswan started do not put iface in promisc mode ? Or this is bridging nuance ?
>> Spent some time checking documentation but didn't find any answers yet.
>> Thanks in advance.
>> --
>> Denis
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
Version: GnuPG v2


More information about the Users mailing list