[strongSwan] solution to kernel_libipsec no local address found problem

Simon Chan sialnije at gmail.com
Thu Aug 22 05:37:37 CEST 2019

Hi List,

- strongswan version 5.5.3
- I have to use kernel_libipsec (because of Openssl FIPS validated crypto).
- Must support local traffic selector does not include any local IP addr.

Expand on the last bullet:
- Peer's IP addr is, remote traffic selector
- My node has only 1 interface (not counting ipsec0). IP addr is
- Local traffic selector
- My node has static route via, which is a router.
- Router has static route for via my node.

When try to bring up tunnel, I get this log:
- charon: 12[KNL] getting a local address in traffic selector
- charon: 12[KNL] no local address found in traffic selector
- charon: 12[KNL] error installing route with policy ===
- charon: 12[IKE] unable to install IPsec policies (SPD) in kernel
- charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA

Is there any way to workaround this no local address problem?

I tried cheating in kernel_libipsec_ipsec.c
Ignore the failure from get_address_by_ts() and make up local address by:
src_ip = host_create_from_string("", 0);

It does fool kernel_libipsec to install this route: dev ipsec0 proto static src

But the route does not capture any packets into ipsec0.
So end up the tunnel only work one way, from peer to my node to
Return packets from network stop at my node, cannot get back to

Lastly, in some setup I may have a second interface like and
corresponding router
Then the solution need to be smart enough to pick interface 1 or 2.

Kind regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190821/48876dea/attachment.html>

More information about the Users mailing list