[strongSwan] StrongSwan w/ multiple local subnets.
Tobias Brunner
tobias at strongswan.org
Mon Jun 22 10:08:52 CEST 2020
Hi Tom,
> ipsec0 receives the packet from the ping request but nothing comes back:
Is there any particular reason you are using the kernel-libipsec plugin
(see [1])? You might want to try just using kernel-netlink.
> Jun 19 19:57:07 10[KNL] error installing route with policy 10.3.0.0/24
> === 10.10.0.0/24 out
> Jun 19 19:57:07 10[IKE] unable to install IPsec policies (SPD) in kernel
> Jun 19 19:57:07 10[IKE] failed to establish CHILD_SA, keeping IKE_SA
The kernel-libipsec plugin currently requires an IP address in the local
traffic selector to install a route, otherwise you get that error.
> Of interest, are these messages:
>
> charon: 10[ESP] no matching outbound IPsec policy for 100.100.100.100 ==
> 10.10.0.4
On obvious result from the above errors to install the policies.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
More information about the Users
mailing list