Hi Saravanan, > I have established a VPN tunnel between GW and VPN server using > Strongswan.
Is the tunnel between those two hosts intended as host-host tunnel or as host-net tunnel? What did you configure for left|rightsubnet? If your SPD entries are any indication it seems you configured rightsubnet=0.0.0.0/0 on GW. That is, you end up with this outbound IPsec policy: > 50.1.1.239[any] 0.0.0.0/0[any] any > out prio high + 1073739901 ipsec > ... Which means that any packet leaving the host with a source address of 50.1.1.239 will be sent into this tunnel. Now you'd assume that this won't apply for a ping sent from 172.31.114.230 to 172.31.114.231, but if you are using IKEv2 a source route is installed which will force 50.1.1.239 as source for any packets sent from GW (i.e. also for the ICMP replies). This route is installed in routing table 220 by default (which is created with a priority of 220). The table and/or priority can be changed with the charon.routing_table and charon.routing_table_prio strongswan.conf options, respectively (or with the respective ./configure arguments). To prevent the daemon from installing these routes altogether you can set charon.install_routes=no in strongswan.conf. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
