A quick update. I installed the farp plugin and now the arp is getting resolved. But still packets are not being pushed into the tunnel when I specify the icmp filter.
Pl find below the logs: sh-4.3# ipsec statusall m1 Status of IKE charon daemon (weakSwan 5.8.2, Linux 4.1.35-rt41, ppc64): uptime: 11 minutes, since Jan 29 06:17:58 2021 malloc: sbrk 2297856, mmap 0, used 307440, free 1990416 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon aes des blowfish rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default farp stroke vici updown xauth-generic counters Listening IP addresses: 192.168.61.2 192.168.62.2 172.16.31.2 172.16.32.2 10.10.9.1 Connections: m1: 172.16.31.2...172.16.31.1 IKEv2, dpddelay=60s m1: local: [172.16.31.2] uses pre-shared key authentication m1: remote: [172.16.31.1] uses pre-shared key authentication m1: child: 10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp] 192.168.51.0/24 TUNNEL, dpdaction=clear Routed Connections: m1{1}: ROUTED, TUNNEL, reqid 1 m1{1}: 10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp] 192.168.51.0/24 Security Associations (1 up, 0 connecting): m1[1]: ESTABLISHED 11 minutes ago, 172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1] m1[1]: IKEv2 SPIs: 766231c8253bf352_i* 6be8de67ab04169d_r, pre-shared key reauthentication in 46 minutes m1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536 m1{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb85fce1_i c83b5361_o m1{3}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 107 minutes m1{3}: 10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp] 192.168.51.0/24 06:30:48.324650 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq 318, length 64 06:30:49.364648 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq 319, length 64 06:30:50.404673 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq 320, length 64 06:30:51.444627 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq 321, length 64 No ESP for src 10.10.9.32 to 192.168.9.31 ICMP. Ip xfrm seems to be ok: src 10.10.9.0/24 dst 192.168.9.0/24 proto icmp dir out priority 375167 ptype main tmpl src 172.16.31.2 dst 172.16.31.1 proto esp spi 0xc83b5361 reqid 1 mode tunnel Scenario 2: Permit ssh traffic on port 22. Ipsec.conf: rightsubnet=192.168.9.0/24[/22],192.168.51.0/24 leftsubnet=10.10.9.0/24,192.168.61.0/24 Also, I see the same problem. ARP is resolved but packets are not pushed into the tunnel. 06:39:21.636521 ARP, Request who-has 192.168.9.31 (Broadcast) tell 192.168.61.1, length 46 06:39:21.637023 ARP, Reply 192.168.9.31 is-at e8:e8:75:90:3f:80 (oui Unknown), length 28 06:39:21.639116 IP 10.10.9.32.50550 > 192.168.9.31.ssh: Flags [S], seq 3400545033, win 64240, options [mss 1460,sackOK,TS val 2883004940 ecr 0,nop,wscale 7], length 0 06:39:34.712713 LLDP, length 121: iS5com 06:39:34.908298 IP 172.16.31.1.isakmp > 172.16.31.2.isakmp: isakmp: parent_sa inf2 Was wondering if the filtering functionality is broken? I'm running 5.8.2. Will upgrading to 5.9.1 fix this? Any opinions would be appreciated. Thanks. Makarand. -----Original Message----- From: Users <users-boun...@lists.strongswan.org> On Behalf Of Makarand Pradhan Sent: January 28, 2021 12:33 PM To: users@lists.strongswan.org Subject: [strongSwan] Subnet selector question GM Everyone, Am trying to selectively push icmp traffic into the tunnel. Am missing something, would appreciate any pointers. Scenario: (PC1 10.10.9.31/24) <---> 10.10.9.1 Router 172.16.31.1 <-Tunnel-> 172.16.31.2 Router 192.168.9.1 <---> (192.168.9.31 PC 2) Ipsec.conf: I'm permitting only icmp in [] rightsubnet=192.168.9.0/24[icmp],192.168.51.0/24 leftsubnet=10.10.9.0/24[icmp],192.168.61.0/24 Issue: Ping fails. Tunnel status: sh-4.3# ipsec status Routed Connections: m1{1}: ROUTED, TUNNEL, reqid 1 m1{1}: 10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp] 192.168.51.0/24 Security Associations (1 up, 0 connecting): m1[1]: ESTABLISHED 3 seconds ago, 172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1] m1{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7b29cc2_i ca9ed38c_o m1{2}: 10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp] 192.168.51.0/24 I notice that the ARP request is not answered. When I do not specify icmp, everything works. I think strongswan responds to the ARP. Don't see it with icmp filter. Thanks for looking. Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website: www.iS5Com.com Confidentiality Notice: This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.