[strongSwan] No traffic between Strongswan 5.6.2 server and 5.7.2 roadwarrior, works in other client versions

Alexander Hill alex at hill.net.au
Wed Oct 9 04:19:36 CEST 2019


A bit more info on this.

Everything is working on the roadwarrior in terms of outgoing traffic. I
can send UDP packets from the client and receive and read them on the

But incoming encrypted traffic is received but apparently not decrypted.
When I ping or try to open a TCP connection, or send UDP packets to the
client from the server, I see UDP-encap ESP packets going out and coming in
in tcpdump. The traffic counters in "ipsec statusall" increment. But I see
no decrypted packets in tcpdump and (obviously) everything just times out
at the application level.

Any ideas?


On Tue, Oct 1, 2019 at 12:30 PM Alexander Hill <alex at hill.net.au> wrote:

> Hi,
> I have a roadwarrior setup with a server running 5.6.2 on Ubuntu Bionic.
> Clients are a mix of 5.6.2 (Bionic), 5.3.5 (Xenial) and 5.5.1 (Stretch) and
> all work fine.
> I'm testing an updated client image on an Asus Tinkerboard S with Armbian
> Buster which ships with 5.7.2. On this client, I can connect to the server,
> but no decrypted traffic makes it through. If I ping the client from the
> server and watch tcpdump on UDP port 4500 on the client, I can see packets
> arriving each second corresponding to the pings from the server, but the
> server receives no response.
> I've included some charon logs, server and client configs, my extra
> strongswan.d config, and output from tcpdump and ip xfrm policy.
> From what I can see all of this looks essentially the same as on the
> working clients. Any ideas of next steps would be greatly appreciated!
> Cheers,
> Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191009/2f6b0b78/attachment.html>

More information about the Users mailing list