Strongswan with Palo Alto

Hello, I'm looking for an effective way to estabilish a VPN between Openwrt and Paloalto firewall. I tryed VPNC but got stuck with some performance issues so I started looking for another solution. I installed Strongswan, followed the tutorial provided by paloalto. That sort of worked, VPN was estabilshed and I can even SSH to openwrt using the internal IP given by paloalto. The problem is that I can't eve ping the router (openwrt) from the lan side of openwrtand not even ping anything from Openwrt itself. I wanted all the traffic from clients to be forwarded to the tunnel. Can I even achieve that using strongswan client-to-site?

Did you create a route to send traffic over the tunnel?

Not sure what you mean. As far as I understand strongswan/ipsec should create routes based on ipsec.conf. I'm still reading their documentation but as far as I understand the following should be enough:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 eth2     *        U     0      0        0 eth2     *      UH    0      0        0 eth2   *        U     0      0        0 br-lan
root@OPENWRT-LAB:~# ip route list table 220
default via dev eth2  proto static  src 

Here is defined by paloalto when the session is estabilished, eth2 is wan, is the modem.

According to Strongswan:

On Linux, strongSwan installs routes into routing table 220 by default and hence requires the kernel to support policy
based routing.

You can make the daemon install the routes into any table you like, or you can disable it completely.
For those purposes, the charon.install_routes, charon.routing_table and charon.routing_table_prio settings
in strongswan.conf may be used. When a tunnel is established between two subnets, charon tries to find local IPs in the tunneled
local subnets. Such an IP must be configurd with scope global to be viable for the lookup. If a valid IP is found, charon will install
a route pointing to the remote subnet where the source IP is set to the found IP. This results in routes like the following: via src

In that example, the local IP would be The remote subnet would be
This is done so packets to the remote subnet are sent with the correct source IP, so the IPsec policies match and traffic
from the local machine to the remote subnet will be secured with IPsec.

Problem solved in [SOLVED] Strongswan Site-to-Site VPN
Closing this topic now upon OP's request.