[strongSwan] strongswan route base VPN to Cisco dynamic VTI: only vips address enters in the tunnel

Felipe Polanco felipeapolanco at gmail.com
Fri Feb 14 15:14:30 CET 2020


The only allowed source address in your tunnel is your VIP address received
from the Cisco device (

If you need to allow access from network then SNAT it at
POSTROUTING chain to your VIP address.
iptables -t nat -I POSTROUTING -s -j SNAT --to-source

On Fri, Feb 14, 2020 at 9:50 AM Philippe JOUNIN <philippe.jounin at orange.fr>

> Hello,
> I am trying to connect a Linux/Strongswan box to a Cisco router using
>     - dynamic VTI with IKEv2 on the Cisco (aka flexVPN)
>     - routed based VPN on the Linux on a tunnel interface named ipsec0
> which receives a dynamic virtual address
> The ipsec tunnel is correctly established and the vips address is
> correctly assigned by the Cisco, transferred by IKEv2 and assigned to the
> ipsec0 interface.
> However only the traffic sourced by the ipsec0 address is routed through
> the tunnel. All other traffic is filtered out with a "NoRoute" error before
> entering in the tunnel.
> As explained in the wiki page
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN, i
> have :
> - enabled ip forwarding
> - disabled the policy rules with sysctl -w
> net.ipv4.conf.ipsec0.disable_policy=1
> - disabled the charon route processing.
> If i use NAT to translate all outgoing traffic to the VIP address,
> everything is OK, but direct routing does not enter the tunnel.
> I guess the trouble is that the local selector is the /32 vips address
> instead of
> I have tried to set local_ts to 0/0, but it is overriden by vips
> instruction.
> Can you help me to understand what i have done wrong ?
> Thanks !
> ----
> configurations :
> - Cisco configuration:             https://pastebin.com/z8rjJ1hq
> - Strongswan configuration (charon.conf and swanctl.conf):
> https://pastebin.com/WwjYb1uP
> - tunnel creation and establishment:    https://pastebin.com/GCgzzuXQ
> troubleshooting:
> - logs and debug info : https://pastebin.com/j1nFUDa8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200214/55ac1258/attachment.html>

More information about the Users mailing list