[strongSwan] unable to ping local gateway in roadwarrior configuration

Mihai Ordean social at mihaiordean.com
Tue Jan 20 17:09:06 CET 2015

Hey Martin

Thanks for your prompt reply.

Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.10.17-g86ce428, armv7l):

> -----Original Message-----
> You probably won't need ESP/AH forwarding rules, as in your NAT situation all traffic is UDP encapsulated over ports 500/4500.

You are right, there the traffic does get encapsulated. 

> > and ipsec statusall is:
> > Security Associations (0 up, 0 connecting):
> Your "ipsec statusall" shows no active connections. No client currently connected?

I am appending below the "ipsec statusall" with a client connected:

malloc: sbrk 1216512, mmap 0, used 214312, free 1002200
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 xauth-generic dhcp addrblock
Listening IP addresses:
roadwarrior-eap:  %any...%any  IKEv2
roadwarrior-eap:   local:  [dnsname.com] uses public key authentication
roadwarrior-eap:    cert:  "C=UK, O= dnsname.com, CN= dnsname.com"
roadwarrior-eap:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
roadwarrior-eap:   child: === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
roadwarrior-eap[2]: ESTABLISHED 20 seconds ago,[dnsname.com]...[]
roadwarrior-eap[2]: Remote EAP identity: some.identity
roadwarrior-eap[2]: IKEv2 SPIs: b42cd00ab10b4a49_i 397b754c1c6e59fb_r*, public key reauthentication in 2 hours
roadwarrior-eap[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
roadwarrior-eap{2}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cdc15832_i 462cf18a_o
roadwarrior-eap{2}:  AES_CBC_256/HMAC_SHA1_96, 51187 bytes_i (384 pkts, 0s ago), 14072 bytes_o (132 pkts, 1s ago), rekeying in 42 minutes
roadwarrior-eap{2}: ===

> > The problem that I have is that I am able to ping the network
> > computers (i.e. but I am unable to ping the gateway
> > itself (
> If pinging the LAN hosts works, your IPsec policies get negotiated correctly. Likely that your routing or firewall configuration drops
> packets.
> If you ping your internal gateway address, do you see incoming packets when sniffing on your gateway? Do you see ESP packets
> leaving?
> >    *      U       0      0        0 br-lan
> strongSwan installs a route to table 220 (ip route show table 220), which should go over your Sky router. It overrides the LAN route to
> your DHCP-assigned road-warrior IP. Can you confirm this route gets installed correctly?

"ip route show table 220" returns empty. I guess the problem is here that the route does not get installed. DO you have any suggestions about fixing this?


More information about the Users mailing list