[strongSwan] Can't make routing work to pass Internet traffic

Arab Abdulla arab666 at protonmail.com
Sat May 5 04:58:52 CEST 2018

Hello Phil,

> Client 1 send the packet addressed for, and the server receives it. Now the server doesn't know about the routing tables on client 1: it only knows it has this packet addressed to How does the server know a packet for should go through client 2?

It seems it's the root of the problem. Why the server does not know? Why gateway is not used? My routing on client 1 is:
root at ubuntu1604:~# ip r g via dev ipsec2  src

So, IPSEC should incapsulate its destination and sends traffic to, is not it? But, instead, on server I see (49 is client 1 and 47 is server):

19:38:57.180893 IP > UDP-encap: ESP(spi=0xc3d23f24,seq=0xc), length 120
19:38:57.180981 IP > ICMP echo request, id 13060, seq 12, length 64

Where is my mistake? How should I re-configure it?

> You can check the server routing tables with "ip route get", or perhaps "ip route get from what's it say? Does it show the server thinks the next hop should be

Still do not understand why no encapsulation in IPSEC and why server routing table matters.

> Reverse path filtering is another thing that can be a problem in scenarios like this, especially if client 1 has some IP address other than, and is not using as the source address for the packets it sends destined for the internet. the log_martians and rp_filter sysctls are something to check. I've spent more than a few hours racking my brain as to why packets are "just disappearing" before remembering reverse path filtering.

I tried it before, not related.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180504/5bc3a28d/attachment.html>

More information about the Users mailing list