[Swan] ipsec SA's up, no traffic routed?

Paul Wouters paul at nohats.ca
Tue May 10 15:45:12 UTC 2016


On Tue, 10 May 2016, Frank wrote:

> I’m trying to setup an ipsec connection from a recent centos7 box to a pfSense with strongSwan (charon), as a test before connecting to a remote ciscoASA.
> SA's seem up.
>
> I can't get traffic to the other side (host on 192.168.211.2 or .12):
>
> 192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24

>
> ping 192.168.211.2
> PING 192.168.211.2 (192.168.211.2) 56(84) bytes of data.
> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable

Oddly this used your public ip as source, instead of the one you
specified with leftsourceip=192.168.1.2

does ping -I 192.168.1.2 192.168.211.2  work?

> ip route:
> default via xxx.xxx.39.78 dev eth4
> 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.2
> 192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.2
> 192.168.3.0/24 dev eth3  proto kernel  scope link  src 192.168.3.2
> 192.168.211.0/24 dev eth4  scope link  src 192.168.1.2

It's there, so why is ping using the wrong source ip?

Paul


More information about the Swan mailing list