[strongSwan] StrongSwan w/ multiple local subnets.

Tobias Brunner tobias at strongswan.org
Wed Jun 24 15:19:52 CEST 2020

Hi Tom,

> May I ask which exact line above told you I'm missing sfrm_user?  The 
> ones that start with CUSTOM?

Yes, the first one is logged after the kernel-netlink plugin failed to
open a Netlink/XFRM socket, plus it is obviously missing in the module
lists you posted after that.

> This is DD-WRT so it's a minimized router kernel. I was surprised as the 
> next guy learning that module isn't available.

Yeah, makes not much sense to enable the other IPsec-related modules
without a means to actually use them.  But why did you use the 2.6.23
kernel sources to build the missing module if your router uses a 4.4.190

> I tinkered around with this at some point.  I had it originating from 
> > but same results.  Based on what you wrote, 
> unless I get xfrm_user module installed, this won't work regardless of 
> what source IP it's coming from?

No, that's unrelated.  You need that module to use the IPsec stack in
the kernel (i.e. to run without kernel-libipsec or ipsec0 interface).
The whole point of the userland IPsec stack is that it bypasses the
kernel and can run with reduced privileges (e.g. on Android where apps
can create TUN devices via VpnService API but can't access the kernel's
IPsec stack via Netlink/XFRM).

> instead of originating from the WAN IP. No reply of course.  My routes

Are ESP packets sent?  If yes, are any returned?  If not, then this
seems to be an issue on the other end.  So try to follow the traffic there.

> root at DD-WRT:~# ip route

Again, strongSwan installs its routes in table 220, that is, use `ip
route show table 220` (or `all`).


More information about the Users mailing list