[strongSwan] routing traffic back to VTI interface

Naveen Neelakanta naveen.b.neelakanta at gmail.com
Fri Dec 8 04:30:07 CET 2017


Hi Noel,

I am trying to ping vti interfaces, when i ping i see the traffic coming
back but i don't see it on ipsec0, however i see the traffic on eth3
interface after it is decrypted, don't see the same reaching ipsec0.

# tcpdump -ni eth3 icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
03:13:36.948984 IP 10.10.10.1 > 10.10.10.2: ICMP echo reply, id 57115, seq
2, length 64
03:13:37.948844 IP 10.10.10.1 > 10.10.10.2: ICMP echo reply, id 57115, seq
3, length 64

# ip -s tunnel show ipsec0

ipsec0: ip/ip  remote 10.10.10.1  local 10.10.10.2  ttl inherit  ikey 0
 okey 32

RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts

    0          0            0      0        0        0

TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs

    7295       611422       142    0        142      0


# ip route

10.10.10.0/24 dev ipsec0  scope link

10.10.10.2 dev ipsec0  scope link

/**** Ipsec policy *****/

ip xfrm p

src 0.0.0.0/0 dst 0.0.0.0/0

dir fwd priority 3075

tmpl src 10.24.18.35 dst 10.24.18.209

proto esp reqid 4 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0

dir in priority 3075

tmpl src 10.24.18.35 dst 10.24.18.209

proto esp reqid 4 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0

dir out priority 3075

mark 32/0xffffffff

tmpl src 10.24.18.209 dst 10.24.18.35

proto esp reqid 4 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0

src ::/0 dst ::/0

socket in priority 0

src ::/0 dst ::/0

socket out priority 0

src ::/0 dst ::/0

socket in priority 0

src ::/0 dst ::/0

socket out priority 0

#ip xfrm s

src 10.24.18.209 dst 10.24.18.35

proto esp spi 0xcb2973d8 reqid 4 mode tunnel

replay-window 32 flag af-unspec

mark 32/0xffffffff

auth-trunc hmac(md5) 0x7481dff3cfa1a63439ae67b35391f2fe 96

enc ecb(cipher_null)

src 10.24.18.35 dst 10.24.18.209

proto esp spi 0xcee189b3 reqid 4 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(md5) 0x95fac661d5746523f6ccc0e9cb867fea 96

enc ecb(cipher_null)



Can i disable the default policies because , when i try to ssh it seems to
get blocked after the ipsec tunnels are brought up .

Any help on this will be appreciated.

Thanks,
Naveen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171207/8462c5b7/attachment.html>


More information about the Users mailing list