Re: [strongSwan] auto=route, but packet can't trigger a acquire to negotiate a ipsec tunnel

Hi, >     I configured a ikev2 , net-to-net, psk, i can use "ipsec up" command > to establish tunnel, but it can't established by a coming traffic, of > course, the ttraffic can match the rule. The kernel-libipsec plugin does currently not support trap policies. So disable that plugin and use

Re: [strongSwan] ipsec statusall: missing number of packets output

Hi Marco, > thanks for the explanation. Indeed that policy was problematic: > packets were going out, but not viceversa. Sounds strange, policies should not just disappear. > is it enough knl = 3 ? Set it to 2, with 3 your log will only fill up with binary dumps of kernel messages. Regards,

Re: [strongSwan] ipsec statusall: missing number of packets output

>> is it enough knl = 3 ? > > Set it to 2, with 3 your log will only fill up with binary dumps of > kernel messages. You can also use the log settings at [1] so we see a bit more about what's going on. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Re: [strongSwan] Removing peer client in pluo quick_inI1_outR1_tail()

Hey. I am facing same error . How can I fix that find_client_connection starting with sjc1-sbsa-prod | looking for 216.109.156.220/32:0/0 -> 196.8.87.17/32:0/0 | concrete checking against sr#0

[strongSwan] auto=route, but packet can't trigger a acquire to negotiate a ipsec tunnel

hello all: My ipsec tunnel can't established by a traffic. I configured a ikev2 , net-to-net, psk, i can use "ipsec up" command to establish tunnel, but it can't established by a coming traffic, of course, the ttraffic can match the rule. the network: --

Re: [strongSwan] ipsec statusall: missing number of packets output

Hi Tobias, > The number of packets is printed if a last use time can be determined > via the respective policy. thanks for the explanation. Indeed that policy was problematic: packets were going out, but not viceversa. After an "ipsec down child_sa" and "ipsec up child_sa" traffic was full

Re: [strongSwan] Forcing all traffic from a specific user to use Strongswan

To check your routing tables, you can use `ip route get SOME_IP_ADDRESS`. You can also inspect the routing tables with `ip route`. One non-obvious thing is strongswan may install an additional route table. You can see all the tables that exist with `ip rule`. The one strongswan makes is called

[strongSwan] 回复： auto=route, but packet can't trigger a acquire to negotiate a ipsec tunnel

thanks for your response.I install strongswan on centos7.2, does it can't support kernel-ipsec?I run'./configure . --enable-kernel-ipsec' it shown warning, can't find kernel-ipsec, how can i do? | | 陆晓萍 邮箱：piaoliug...@163.com | 签名由 网易邮箱大师 定制 在2018年05月25日 20:03，Tobias Brunner 写道： Hi, >