[strongSwan] Strongswan Cisco Interop Question (One way traffic)

Thu Apr 16 22:55:20 CEST 2020

Good evening all,

I am testing Strongswan <-> Cisco interop on our device. The issue seems to be on Cisco side. All the same, would like to ask the question here as someone may have faced a similar issue.

Any inputs would be highly appreciated.

Issue: Tunnel is established and child SA is installed. Strongswan is pushing packets nicely into the tunnel. The Cisco router al the same is not pushing the interesting traffic into tunnel.

Some data points:
Tunnel is up:
root at t1024rdb:/usr/local/etc# ipsec status m1
Security Associations (1 up, 0 connecting):
          m1[1]: ESTABLISHED 3 seconds ago, 172.16.31.1[172.16.31.1]...172.16.21.1[172.16.21.1]
          m1{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c31e9466_i ca4d6288_o
          m1{1}:   192.168.9.0/24 === 10.10.9.0/24

On CISCO side:
If I use SRC ping, traffic is pushed in tunnel:
Switch#ping  192.168.9.1 source 10.10.9.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.9.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.9.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
Switch#

Problem: A device on the CISCO side 10.10.9 network cannot reach 192.168.9 (Strongswan side) nwk. It's GW is Cisco. So when Cisco gets the icmp req:

10.10.10.9.3 -> 192.168.9.3

It arps using for the IP instead of pushing into tunnel.

Have seen a lot of posts with this problem but none of the solution is working for me.

If anyone out here has faced this issue, your feedback would be very much appreciated.

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.