[strongSwan] Strongswan failed to forward decrypted packet to socket

Quaker bigboyq at gmail.com
Tue Dec 19 08:57:02 CET 2017

I am using Strongswan 5.6.1 on my OpenVZ servers
And strongswan 5.6.1 is compiled by myself. kernel-libipsec enabled by

./configure --enable-eap-identity --enable-eap-md5 \ --enable-eap-mschapv2
--enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc
--enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock
--enable-unity \ --enable-certexpire --enable-radattr --enable-tools
--enable-openssl --disable-gmp --enable-kernel-libipsec

the strongswan.conf configuration modified as :

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
                kernel-netlink {
                        fwmark = !0x4
                socket-default {
                        fwmark = 0x4
                kernel-libipsec {
                        allow_peer_ts = yes

I have created ipsec tunnel successfully between my OpenVZ server alpha and
But the socket connection fails.
By investigate the problem, I tried tcpdump, found that
If I ping from alpha to beta
tcpdump could found
esp from alpha->beta
esp from beta->alpha
but ping timeout

If I ping from beta to alpha
tcpdump could found
esp from beta->alpha
and ping timeout

if using tcp, and answer is similar
alpha SYN_SENT

alpha NULL

I guess there should be some problem during esp to socket
anyone could tell me how to detect the problem, or some further information
should I give.

alpha and beta belongs to different OpenVZ supplier, don't know the problem.
I have reinstalled alpha sometimes, but doesn't work.

beta:Linux beta 2.6.32-042stab125.5 #1 SMP Tue Oct 17 12:48:22 MSK 2017
x86_64 GNU/Linux

alpha: Linux alpha 2.6.32-042stab123.3 #1 SMP Fri May 5 12:29:05 MSK 2017
x86_64 GNU/Linux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171219/314b5f1c/attachment.html>

More information about the Users mailing list