[strongSwan] StrongSwan w/ multiple local subnets.

Tobias Brunner tobias at strongswan.org
Tue Jun 30 10:41:34 CEST 2020


Hi Tom,

> What I meant to say, is that would confirm all proper kernel modules 
> were already in place to allow the communication would it not?  Anything 
> else I could try to, in the least, confirm if the packet was 
> successfully forwarded to the Azure VPN Gateway end?
> 
> I know the packet arrives at the IPSec ipsec0 interface however, 
> checking just now, I don't see any traffic change on the WAN interface 
> of the on-prem StrongSwan VPN GW.

As explained in previous emails, with kernel-libipsec you are not using
any of the IPsec-related kernel modules.  IPsec processing happens in
userland via ipsec0 TUN device (see [1] for more on this plugin).
rp_filter could be an issue when using it.

To check traffic, use packet counters (strongSwan's status output,
firewall etc.) or traffic captures on the respective hosts to see if
e.g. ESP packets are exchanged.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec


More information about the Users mailing list