[strongSwan] access to multiple subnets

Mirko Parthey mirko.parthey at web.de
Mon Jan 16 15:12:15 CET 2017

On Mon, Jan 16, 2017 at 01:51:00AM +1100, Yudi V wrote:
> Got strongswan VPN  on an openwrt gateway acting as the server. Openwrt router
> has two VLANS (say,, I used rightsourceip=%dhcp
> and let the remote peer get IP from
> This works fine and I can access resources (mostly network shares) in
> but I would also like to access resources in I
> cannot seem to figure out how to do this.
> Normally when I am connected to the openwrt gateway directly I can access the
> resources in both VLANs (has appropriate rules in the firewall).
> I did not add any specific firewall rules relating to strongswan setup except
> for esp, ah, port 500 and 4500 on wan side.  Not sure what settings need to be
> changed to get access to the other subnets.
> I would appreciate any suggestions.

Hello Yudi,

I would suggest to find out where the traffic to is dropped,
on which machine and by which firewall rule / IPsec policy.
For example, send an ICMP echo request (ping) from a remote machine, 
also try a larger size such as 1500. 

Does it arrive at the target machine?
Is the request dropped, or the reply?

Linux IPsec has byte and packet counters, which can be shown with the
strongSwan command "ipsec statusall". It also shows other useful information,
so please post the output of this command after the connection has been
Also enable logging in the OpenWrt firewall and look at the log (logread)
and the netfilter rule counters (iptables -vL).

This diagram shows the processing order of the netfilter hooks:
Please note that decapsulated IPsec traffic is processed by the network
layer hooks a second time. This should be covered by the rules
automatically inserted with leftfirewall=yes, but is worth checking.

Are your routes set up correctly - on the client, the OpenWrt gateway,
and the target machine in
Remember that you will need valid routes for both directions.
Do machines in send all traffic to via
the OpenWrt gateway, or is there another router?

You could also try to use an address range for the remote clients
which is disjoint from the internal subnets. You will see if it breaks
access to as well, and this can be a base for
further investigations.


More information about the Users mailing list