Results 1 to 3 of 3

Thread: SUSE,Firewal,strongswan: packet not using tunnel

Hybrid View

  1. #1

    SUSE,Firewal,strongswan: packet not using tunnel

    I am trying to set up a VPN tunnel between 2 sites, like this

    remoteA -- vpnA --- Internet --- vpnB --- remoteB

    vpnA and vpnB have publicIP
    vpnA and remoteA have privateIP (1 subnet)

    Actually, I was able to get the tunnel up
    net-net1[1]: ESTABLISHED 22 minutes ago, <vpnA publicIP>[xxx]...<vpnB publicIP>[yyy]
    net-net1[1]: IKE SPIs: e94a8711bfc6cfe0_i* 4f199ccf7cffb49b_r, pre-shared key reauthentication in 32 minutes
    net-net1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    net-net1{1}: INSTALLED, TUNNEL, ESP SPIs: ca7f5d3d_i 27d80a67_o
    net-net1{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 31 minutes

    BUT, when I try to ping remoteB from remoteA/vpnA,
    FAIL and based on my check using tcpdump at vpnA,
    the packet is not through the tunnel, may be using default gateway instead
    (correct me if I am wrong, but I can't see any encryption notation, only ICMP message)

    Unfortunately, I can't perform any test from the other side
    (vpnB and remoteB is handle by other party, they insist remoteB can be reach from vpnB)

    Anyway, I had check all related at site A
    ipsec statusall
    ipsec listall
    ip -s xfrm policy
    ip -s xfrm state
    ip route list table 220
    iptables -L

    so far, all are consistent with the sample shown in
    and even the routing in 'ip route list table 220' does provide the routing to remoteB, even though not defined in static route

    What I did at vpnA
    I did not define default gateway (hence no routing for
    only static routing to vpnB publicIP routed to vpnA internet GatewayIP
    (In hope that routing to remoteB is not using default gateway)

    Once the tunnel up, the routing for remoteB is automated as in 'ip route list table 220'
    <remoteB subnet> via <vpnA Internet GatewayIP> dev eth0 proto static src <vpnA privateIP>

    However, I can not ping remoteB successfully and
    1) vpnB said no packet is seen in the log
    2) even the log/messages at vpnA shown nothing related to charon or pluto activity

    Hence, I kindda like confuse
    Is the ping packet go through the tunnel or not?

    I tried to google around and read all related FAQs, but can't find any concrete answer

    Hence, I am seeking the wisdom of this forum

    Anyway: here is what I used at vpnA, (in summary to make it short)
    SUSE Linux Enterprise Server 11 (x86_64)
    SuSEfirewall2 version 3.6 - set privateIP intf as DMZ, publicIP intf as External, masquerade enable
    strongSwan U4.4.0 - use the example at

  2. #2

    Re: SUSE,Firewal,strongswan: packet not using tunnel


    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.

    These forums are peer-to-peer, best effort, volunteer run and that if your issue
    is urgent or not getting a response, you might try one of the following options:

    - Visit and search the knowledgebase and/or check all
    the other support options available.
    - Open a service request:
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (

    Be sure to read the forum FAQ about what to expect in the way of responses:

    If this is a reply to a duplicate posting or otherwise posted in error, please
    ignore and accept our apologies and rest assured we will issue a stern reprimand
    to our posting bot..

    Good luck!

    Your SUSE Forums Team

  3. Re: SUSE,Firewal,strongswan: packet not using tunnel

    Is IP forwarding enabled on vpnA? i.e. what is the output of:
    # sysctl net.ipv4.ip_forward


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts