Hi Tom, > ipsec0 receives the packet from the ping request but nothing comes back:
Is there any particular reason you are using the kernel-libipsec plugin (see [1])? You might want to try just using kernel-netlink. > Jun 19 19:57:07 10[KNL] error installing route with policy 10.3.0.0/24 > === 10.10.0.0/24 out > Jun 19 19:57:07 10[IKE] unable to install IPsec policies (SPD) in kernel > Jun 19 19:57:07 10[IKE] failed to establish CHILD_SA, keeping IKE_SA The kernel-libipsec plugin currently requires an IP address in the local traffic selector to install a route, otherwise you get that error. > Of interest, are these messages: > > charon: 10[ESP] no matching outbound IPsec policy for 100.100.100.100 == > 10.10.0.4 On obvious result from the above errors to install the policies. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
