[strongSwan] Can not ping the load-tester client ip from the tested strongswan server

Sat Aug 8 11:34:22 CEST 2020

hi all :
         I set up a strongswan server ,and work well. 

I want to do load test to it.

I use strongswan 5.9.0   with load-tester  plugin  as  Client.

following is the   /etc/strongswan/strongswan.conf

charon {
        load_modular = yes

        install_routers = yes

        plugins {

        load-tester {
                        addrs_keep = yes

                        enable = yes

#                       initiators = 4

#                       iterations = 1

                        fake_kernel = yes

                        delay = 100

                        responder = 47.98.237.203

                        proposal=aes256-sha256-modp1024

                        initiator_auth = eap-md5

                        eap_password = eappass

                        esp=aes256-sha256

                        responder_auth=pubkey

                        request_virtual_ip=yes

                        ike_rekey = 0

                        child_rekey = 60

                        delete_after_established = no

                        shutdown_when_complete = no

                        initiator_tsr=0.0.0.0/0

                        initiator_id = conn-%d-round-%d

#                       initiator_match = *@strongswan.org

                        responder_id = panvpn.mydomain.net

#                       digest = sha256

                        issuer_cert = /etc/strongswan/ipsec.d/cacerts/MYCA.cert.pem

                        issuer_key = /etc/strongswan/ipsec.d/private/MYCA.key.pem

                        ca_dir = /etc/ipsec.d/cacerts/
        }

                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

I run      ipsec load-tester initiate 1 200 

and         ipsec statusall                 display

Status of IKE charon daemon (strongSwan 5.9.0, Linux 3.10.0-1062.18.1.el7.x86_64, x86_64):
  uptime: 35 minutes, since Aug 08 16:48:02 2020
  malloc: sbrk 1613824, mmap 0, used 559584, free 1054240
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac drbg mysql sqlite attr load-tester kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic tnc-tnccs counters
Listening IP addresses:
  172.17.0.96
Connections:
   load-test:  47.98.237.203...0.0.0.0  IKEv1/2
   load-test:   local:  [panvpn.mydomain.net] uses public key authentication
   load-test:   remote: [conn-0-round-1] uses EAP_MD5 authentication
   load-test:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
   load-test[1]: ESTABLISHED 35 minutes ago, 172.17.0.96[conn-1-round-1]...47.98.237.203[panvpn.mydomain.net]
   load-test[1]: IKEv2 SPIs: 1aa1f3c652eae014_i* eb4208fff85db289_r, rekeying disabled
   load-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
   load-test{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 01000000_i c9b2cdd1_o
   load-test{1}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 244653s ago), 0 bytes_o (0 pkts, 244653s ago), rekeying active
   load-test{1}:   10.128.0.1/32 === 0.0.0.0/0

my question  is    I  can  not  ping  10.128.0.1    from the strongswan server.

Is it  designed ？  or  I lost something？    how can i fix it ？

thanks so much ！
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200808/8e06a658/attachment.html>