[strongSwan] farp and ndp proxy not working

Robert Dyck rob.dyck at telus.net
Tue Nov 20 00:48:17 CET 2018

Since upgrading the strongswan server using the Fedora upgrade method ( 28 to 
29, strongswan now 5.7.1 ) I have no success sending traffic through the VPN. 
Before sending huge amounts of data to the list I am looking for suggestions 
to help me debug this myself.

The configuration hasn't changed. My rather simple road warrior setup which 
had been working now doesn't. The tunnel comes up without errors. I see the 
ESP keep alive traffic. To me everything looks good such as statusall, routing 
table, iptables and there are no error logs. When I send pings from the RW I 
see the spike in ESP traffic which does not seem to get routed.

The heart of the issue seems to be farp and ndp proxy. When contacting an IP 
address the system first tries to associate it with an interface using arp or 
address solicitation in the case of ipv6. With Wireshark I see only requests 
but no responses. Farp does appear on the list of of plugins and for ipv6 I 
have a modified _updown that configures ndp proxy. Ndp proxy is enabled in 
sysctl for all and for the specific interface. There is only one interface. I 
checked forwarding in sysctl as well.

Suggestions? which debug configuration to use?

More information about the Users mailing list