[strongSwan] Can't make routing work to pass Internet traffic

Phil Frost phil at postmates.com
Sat May 5 01:56:20 CEST 2018

On Fri, May 4, 2018 at 7:57 AM Arab Abdulla <arab666 at protonmail.com> wrote:

> Dear Admins!
> Please help. Can't make work routing. I have net scheme:
> IPSEC Client 1 <--> IPSEC Server <--> IPSEC Client 2
> IPSEC IPs of computers:
> Server:
> Client 1:
> Client 2:
> I can ping from, traffic goes through It works.
> I need to make "Client 2" an Internet gateway to pass all Internet traffic
> from Client 1.
> But when I try to add route:
> ip route add via
> it seems route not working, like gateway is just ignored. Traffic
> ends on, and do not pass to at all. I check it with
> tcpdump.

Client 1 send the packet addressed for, and the server receives it.
Now the server doesn't know about the routing tables on client 1: it only
knows it has this packet addressed to How does the server know a
packet for should go through client 2? You can check the server
routing tables with "ip route get", or perhaps "ip route get from what's it say? Does it show the server thinks the
next hop should be

Reverse path filtering is another thing that can be a problem in scenarios
like this, especially if client 1 has some IP address other than,
and is not using as the source address for the packets it sends
destined for the internet. the log_martians and rp_filter sysctls are
something to check. I've spent more than a few hours racking my brain as to
why packets are "just disappearing" before remembering reverse path
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180504/eff6c22c/attachment-0001.html>

More information about the Users mailing list