[strongSwan] StrongSwan w/ multiple local subnets.

Tobias Brunner tobias at strongswan.org
Mon Jun 22 10:08:52 CEST 2020

Hi Tom,

> ipsec0 receives the packet from the ping request but nothing comes back:

Is there any particular reason you are using the kernel-libipsec plugin
(see [1])?  You might want to try just using kernel-netlink.

> Jun 19 19:57:07 10[KNL] error installing route with policy 
> === out
> Jun 19 19:57:07 10[IKE] unable to install IPsec policies (SPD) in kernel
> Jun 19 19:57:07 10[IKE] failed to establish CHILD_SA, keeping IKE_SA

The kernel-libipsec plugin currently requires an IP address in the local
traffic selector to install a route, otherwise you get that error.

> Of interest, are these messages:
> charon: 10[ESP] no matching outbound IPsec policy for == 

On obvious result from the above errors to install the policies.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec

More information about the Users mailing list