Strongswan tunnel is up but can't ping remote

SpaHuang · May 24, 2022, 8:35am

Hi, openwrt
I use openwrt 21.0.3 strongswan connect to remote with side to side, the tunnel is up ,but local can't ping remote,can anyone help me? Thanks.

ppmm · May 24, 2022, 12:38pm

Need the output of these commands. It's probably that your iptables nat changes the ips of packet and causes the packets to be missed from the xfrm policies.

ipsec statusall
ip rule
ip -4 ro sh table all
ip xfrm policy
iptables-save -t nat

SpaHuang · May 25, 2022, 12:35am

企业微信截图_53e4d4b3-8afc-47d7-a384-84eefca40f02

SpaHuang · May 25, 2022, 12:37am

企业微信截图_d5b898c5-4774-4ad6-afcd-f51ba261b2a8

SpaHuang · May 25, 2022, 12:51am

SpaHuang · May 25, 2022, 12:51am

SpaHuang · May 25, 2022, 12:52am

SpaHuang · May 25, 2022, 12:57am

root@OpenWrt:~# ip route show table 220

10.100.162.0/24 via 10.0.10.254 dev eth0.2 proto static src 192.168.49.1

seems normal？

ppmm · May 25, 2022, 2:27am

Pick one of these and your problem should be resolved.
Do the same on remote end if it's behind NAT just reverse the src/dst.
To understand why this is needed look at the packet flow

iptables -t nat -I POSTROUTING          -s 192.168.49/24 -d 10.100.162/24 -j ACCEPT
iptables -t nat -I postrouting_rule     -s 192.168.49/24 -d 10.100.162/24 -j ACCEPT
iptables -t nat -I postrouting_wan_rule -s 192.168.49/24 -d 10.100.162/24 -j ACCEPT

SpaHuang · May 25, 2022, 7:15am

It's works,Thanks for you help.

tmomas · May 25, 2022, 10:14am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.