[strongSwan] Roadwarrior unable to access LAN with local_ts = specified on the server

Glen Huang heyhgl at gmail.com
Tue Jan 5 04:52:25 CET 2021

I have working LAN on 192.168.1.x, and a IKEv2 server on A roadwarrior is able to connect to it,  and is correctly assigned a LAN IP, and the strongswan server log says the TS pair is ===

However, what the roadwarrior can do is extremely limited:
1. It can successfully ping, but connecting to is immediately rejected, e.g., ssh to port 22 or dns request to port 53.
2. It can’t access other machines on the LAN.
3. It can’t access the internet.

LAN machines can access and the internet without issues.

I thought a local_ts = was going to put roadwarriors as equal citizens as the machines on the LAN. I wonder what did I miss? is both the gateway and IKEv2 server, not sure if that matters.

Here is my swanctl.conf:

connections {
    main {
        version = 2
        pools = main
        proposals = aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-x25519,aes256gcm16-prfsha384-ecp384,aes256gcm16-prfsha384-x25519,chacha20poly1305-prfsha384-x25519
        send_certreq = no
        childless = never
        local {
            auth = pubkey
        remote {
            auth = pubkey
        children {
            child {
                local_ts =
                esp_proposals = aes128gcm16-ecp256,aes128gcm16-x25519,aes256gcm16-ecp384,aes256gcm16-x25519,chacha20poly1305-x25519
                hw_offload = auto

pools {
    main {
        addrs = -
        dns =

More information about the Users mailing list