Hi All, I think I've figured this one. I had to set ip_forward in the namespace.
ip netns exec net1 sysctl -w net.ipv4.ip_forward=1 Now I can see the packet come out of the net1_veth0.23 if. Tx. Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. #1-1815 Meyerside Drive Mississauga, Ontario L5T 1G3 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website: www.iS5Com.com Confidentiality Notice: This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted. -----Original Message----- From: Users <users-boun...@lists.strongswan.org> On Behalf Of Makarand Pradhan Sent: May 9, 2019 3:32 PM To: users@lists.strongswan.org Subject: [strongSwan] Strongswan, Netns and routing configuration question Hello All, I am running strongswan in a netns. My ipsec tunnel is established. I can ping the 2 sides. All the same, I cannot ping any other devices on the subnet. Would highly appreciate any help. The setup is described below in detail: PC 10.10.24.1/24 <-LAN-> 10.10.24.3/24(eth0 Pi 80.0.0.3/24 (eth1)<- strongswan ipsec tunnel -> 80.0.0.2/24 (net1_veth0.80) 10.10.23.2(net1_veth0.23) <-LAN->10.10.23.4 I am now trying to ping 10.10.23.4 from 10.10.24.1. On 10.10.24.1, the routing table has 10.10.24.3 is via gate way 10.10.24.3 10.10.23.0/24 via 10.10.24.3 dev eth1 I see the ESP packets come into net1_veth0.80. 13:49:28.620355 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 156) 80.0.0.3 > 80.0.0.2: ESP(spi=0xcd75daf6,seq=0x12), length 136 0x0000: e8e8 7590 02c1 b827 eb59 2766 0800 4500 0x0010: 009c 0000 4000 4032 9a2b 5000 0003 5000 0x0020: 0002 cd75 daf6 0000 0012 d8c5 4673 6d25 0x0030: 19fc 6857 c12b e6a9 ed44 b901 c3b3 db96 0x0040: e9b2 acea 65a2 3fd9 b670 ee41 7886 843b 0x0050: 0d1a 46ce 3b05 a639 d639 b27a 726d b10d 0x0060: 4972 002f d922 fbfd 6832 45e8 0adb 73f4 0x0070: 37f9 fd8e 66e3 6daa 453c a70b 7b44 4ee6 0x0080: ac96 597a f20f 0948 307d af63 7146 acab 0x0090: 40e5 17f0 2b1e b165 e579 1021 40ae 4837 0x00a0: fa8b 7827 2464 1f2d 449f The decrypted packet is seen on net1_veth0.80: 13:49:28.620490 IP (tos 0x0, ttl 63, id 2164, offset 0, flags [DF], proto ICMP (1), length 84) 10.10.24.1 > 10.10.23.4: ICMP echo request, id 375, seq 18, length 64 0x0000: e8e8 7590 02c1 b827 eb59 2766 0800 4500 0x0010: 0054 0874 4000 3f01 f01c 0a0a 1801 0a0a 0x0020: 1704 0800 1e0e 0177 0012 a46b d45c 0000 0x0030: 0000 95cd 0b00 0000 0000 1011 1213 1415 0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 0x0060: 3637 The packet does not come out on the net1_veth0.23 interface. The routing table in the network name space is as follows: sh-4.3# ip netns exec net1 ip ro 10.10.23.0/24 dev net1_veth0.23 proto kernel scope link src 10.10.23.2 80.0.0.0/24 dev net1_veth0.80 proto kernel scope link src 80.0.0.2 ip_forward is set: sh-4.3# cat /proc/sys/net/ipv4/ip_forward 1 Also forwarding is set on all the veth interfaces, e.g.: sh-4.3# cat /proc/sys/net/ipv4/conf/veth0/forwarding 1 sh-4.3# cat /proc/sys/net/ipv4/conf/veth0.80/forwarding 1 I am probably missing something in my routing config. This is probably more of a routing question. Thanks for taking the time to read the question. With Rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. #1-1815 Meyerside Drive Mississauga, Ontario L5T 1G3 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website: www.iS5Com.com Confidentiality Notice: This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.