[strongSwan] Ping Multicast over IPSec

Joyce LAMBERT joyce.lambert at netapsys.fr
Wed Jul 15 14:42:19 CEST 2015 

Hi all,

I to get multicast workiing over IPsec.

For this I have create one  test environnement with 3 virtu?al machines

ipsec1 (10.0.1.2/24) <=> (10.0.1.1/24) Router (10.0.2.1) <=>  ipsec2 
(10.0.2.2)

Router is also connected to internet

An Ipsec tunnel in up between Ipsec1 and Ipsec2

I used a home compiled 5.3 version of Strongswan with forcast module 
Enable on debian 8.

IPsec1 and Ipsec2 can ping themself. With TCPdump on router I see that 
traffic are ESP UDP-Encap

Multicast IP are configure on right and left for the both IPSec server 
and forcast module loaded. But If I try to ping 224.0.0.5, packet go 
outside the tunnel without beeing encapsulated.
Do you find something wrong on my configuration file? or Something I 
forget to configure on ipsec virtual machine ?

Thank you

Configuration IPsec1:
----------------------------
ipsec.conf:
Konsole output config setup
conn %default
       ikelifetime=60m
       keylife=20m
       rekeymargin=3m
       keyingtries=1
       authby=secret
       keyexchange=ikev2
       mobike=yes
Konsole output conn ipsec1-ipsec2
       left=10.0.1.2
       leftsubnet=224.0.0.0/4,10.0.1.2/32
       leftid=@ipsec1
       leftfirewall=yes
       right=10.0.2.2
       rightfirewall=yes
       rightsubnet=%dynamic,224.0.0.0/4,10.0.2.2/32
       rightid=@ipsec2
       auto=start
       rightfirewall=yes
       type=tunnel
       mark=%unique
       forceencaps=yes

Konsole output /etc/strongswan.d/charon/forecast.conf
forecast {
      groups=224.0.0.1,224.0.0.5,224.0.0.6
      interface=eth0
      load = yes
}

Configuration IPsec2:
----------------------------
ipsec.conf:
config setup
conn %default
       ikelifetime=60m
       keylife=20m
       rekeymargin=3m
       keyingtries=1
       authby=secret
       keyexchange=ikev2
       mobike=yes
conn ipsec2-ipsec1
       left=10.0.2.2
       leftsubnet=224.0.0.0/4,10.0.2.2/32
       leftid=@ipsec1
       leftfirewall=yes
       right=10.0.1.2
       rightfirewall=yes
       rightsubnet=%dynamic,224.0.0.0/4,10.0.1.2/32
       rightid=@ipsec2
       auto=start
       rightfirewall=yes
       type=tunnel
       mark=%unique
       forceencaps=yes

/etc/strongswan.d/charon/forecast.conf
forecast {
      groups=224.0.0.1,224.0.0.5,224.0.0.6
      interface=eth0
      load = yes
}


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150715/26f852dd/attachment.html>

More information about the Users mailing list