[strongSwan] Traffic not being pushed to the tunnel...

Joseph jsphgoh at gmail.com
Thu Aug 18 05:17:54 CEST 2016 

I have a simple setup like this. The switch is the gateway to Internet
access besides connecting the IoT router and the server. The router can
ping the server and also go to the Internet (via the Switch) without any
issue.

[Cisco IoT router] ----(vlan x) ----Switch --- (vlan x)---Server

The ipsec tunnel is set up between the router and the server. The tunnel is
up but I do not see any traffic being pushed through the tunnel. The
routing table looks fine on the IoT router but I just have no way to
confirm if the packets are being pushed through the tunnel. A check on the
iptables doesn't really tell me anything...

My questions aer:
- What adds the policy entries for the linux kernel to send the necessary
traffic over IPsec?
- Is there any command that can easily verify that with strongswan command
or linux command?

Thanks,
 Joe

[root at WSN ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source
destination
  201 18684 f2b-sshd   tcp  --  any    any     anywhere
anywhere            multiport dports ssh
    5   520 ACCEPT     all  --  lo     any     anywhere
anywhere
    0     0 ACCEPT     icmp --  any    any     anywhere
anywhere            icmp any
  375  543K ACCEPT     udp  --  any    any     anywhere
anywhere            udp dpt:isakmp
    0     0 ACCEPT     udp  --  any    any     anywhere
anywhere            udp dpt:ipsec-nat-t
    0     0 ACCEPT     tcp  --  any    any     anywhere
anywhere            state NEW tcp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere
anywhere            state NEW tcp dpt:https
  260 23264 ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED
    4   208 ACCEPT     tcp  --  any    any     anywhere
anywhere            state NEW tcp dpt:ssh
 1658  168K REJECT     all  --  any    any     anywhere
anywhere            reject-with icmp-host-prohibited
    0     0 ACCEPT     tcp  --  any    any     192.168.180.2
 anywhere            tcp dpt:5666
    0     0 REJECT     all  --  any    any     anywhere
anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  lo     any     anywhere
anywhere
    0     0 ACCEPT     udp  --  any    any     anywhere
anywhere            udp dpt:isakmp
    0     0 ACCEPT     udp  --  any    any     anywhere
anywhere            udp dpt:ipsec-nat-t
    0     0 ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere
anywhere            state NEW tcp dpt:ssh
    0     0 REJECT     all  --  any    any     anywhere
anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 594 packets, 242K bytes)
pkts bytes target     prot opt in     out     source
destination

Chain f2b-sshd (1 references)
pkts bytes target     prot opt in     out     source
destination
  201 18684 RETURN     all  --  any    any     anywhere             anywhere
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160818/5ab8d09b/attachment.html>

More information about the Users mailing list