[strongSwan] stongswan tunnel up but child subnets not pinging

christopher kamutumwa chriskamutumwa at gmail.com
Fri Feb 19 11:55:23 CET 2016

i have made all changes but problem still there need more help.
changes made below and attached ipsec.conf/message log/
statusall/routing table/iptable

IP forwarding enabled in /etc/sysctl.conf
net.ipv4.ip_forward = 1

removed That line is formatted wrong. "-diffie-hellman group 2" is invalid

did this Don't declare options multiple times in a conn section.
flushed routing table to default-strongSwan does the routing for you.
Don't install routes yourself.

On 2/16/16, Noel Kuntze <noel at familie-kuntze.de> wrote:
> On 16.02.2016 18:03, christopher kamutumwa wrote:
>> Hi does this mean if I flush my iptables and routing tables strongswan
>> willroute and write firewall.and how can I tell that?
> No.
> strongSwan, by default, inserts routes into table 220 and uses policy based
> routing to route the traffic to the
> remote side(s) into routing table 220, where routes to the protected subnets
> are in.
> You seem to not have read the introduction[1] yet. Please read it.

added iptables -t nat -I POSTROUTING -s -o eth0 -m policy
--dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I PREROUTING -s -i eth0 -m policy --dir
in --pol ipsec --proto esp -j ACCEPT
iptables -A input_rule -p esp -j ACCEPT
iptables -A input_rule -p udp --dport 500 -j ACCEPT
iptables -A input_rule -p udp --dport 4500 -j ACCEPT

but still no pings to and from the other side though IKE_SA has always
been up. please help

> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan
> (Second mail, first one was sent to Christopher only)
> --
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

More information about the Users mailing list