Issue #3687

Strongswan ipsec do not forward package to host

Added by Jimmy Zhang 12 months ago. Updated 12 months ago.

network / firewall
Affected version:



We have setup a VPN site to site IPSec tunnel between Juniper vSRX and Strongswan. We can see tunnel is up. However, we can't ping from the from host within source subnet to target host from the target subnet. Just wondering if I can get any help here?

Here is the Strongswan config:

[root@testfarm-uat-vpn ~]# swanctl -l
gw-gw: #2, ESTABLISHED, IKEv2, 00c43d5f587f83a5_i 910c55aafc68da88_r*
  local  '' @[4500]
  remote '' @[4500]
  established 1866s ago, reauth in 81879s
  net-net: #3, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256/ECP_384
    installed 1848s ago, rekeying in 1481s, expires in 2112s
    in  c5ff6625,  27337 bytes,   330 packets,    85s ago
    out 6747d190,   3725 bytes,    16 packets,   937s ago
[root@testfarm-uat-vpn ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[[root@testfarm-uat-vpn ~]# ip route list table 220 via dev eth0 proto static src 
[root@testfarm-uat-vpn ~]# 

We opened all firewall from Juniper end. From tcpdump, we can see ping/ssh package from source IP reached to Strongswan, but the package does not reach to the target host.

Strongswan tcpdump:

[root@testfarm-uat-vpn conf.d]# sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[root@testfarm-uat-vpn conf.d]# tcpdump -vv -i eth0 host
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

18:00:47.768796 IP (tos 0x0, ttl 63, id 19381, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 3504, seq 1, length 64
18:00:47.768871 IP (tos 0x0, ttl 62, id 19381, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 3504, seq 1, length 64

tcpdump from target host is showing no package arrived.

[root@testfarm-uat-vpn conf.d]# cat swanctl.JimmyTest.conf 
connections {

   gw-gw {
      local_addrs  =
      remote_addrs =

      local {
         auth = psk
      remote {
         auth = psk
      children {
         net-net {
            local_ts  =
            remote_ts =
            rekey_time = 3600
            rekey_bytes = 500000000
            rekey_packets = 1000000
            esp_proposals = aes256gcm128-ecp384
      version = 2
      mobike = no
      reauth_time = 86400
      proposals = aes256-sha256-ecp384

secrets {
      secret = ***********


#1 Updated by Tobias Brunner 12 months ago

  • Description updated (diff)
  • Category set to network / firewall
  • Status changed from New to Feedback

As the packet counters show you, packets are exchanged. So the tunnel seems to work. Might be a forwarding/firewall/NAT issue somewhere on or beyond the two IPsec gateways.

#2 Updated by Jimmy Zhang 12 months ago

So how do we check if the forwording setup is correct on this Strongswan node?
We don't use NAT on this config yet.
Also as showing, firewall iptables on this node is accepted for all.

#3 Updated by Tobias Brunner 12 months ago

Maybe your routing is messed up or there is some other problem in your network (e.g. another firewall/router) or the target device itself blocks the traffic. I really don't know, you have to debug that yourself.

Also available in: Atom PDF