StrongSwan+FreeBSD 10.2+FreeBSD 11+enc0 does not work
maxidlabs at gmail.com
Mon Jan 25 00:15:11 UTC 2016
I've set up a FreeBSD-based VPN server using StrongSwan daemon( IKEv2 ).
I can connect to this VPN server from Windows 8.1 box or BlackBerry
Passport ( IKE2 ), everything works perfectly, I have access to both
Internet behind VPN server and VPN server resources, such as DLNA.
Now I am trying to set up FreeBSD-based client using StrongSwan daemon as
well, but the tunnel does not seem to be working.
Client( releng/10.2, bfe0 192.168.1.132, enc0 )
Server( current/11, em0 192.168.11.1, em1 96.200.XX.XX, enc0 )
The firewalls on both boxes are 100% disabled ( pfctl -d ), so they do not
I set up an IKEv2 authentication based on certificates, similarly as for
Windows and Blackberry clients.
The server is configured to assign vpn clients virtual addresses from the
I then bring up VPN client on client box. A new interface, tun0, is created
and assigned the address 10.0.11.1, which is perfectly correct.
StrongSwan daemons on both boxes say the VPN SA connection is successfully
The command netstat -rn on the server shows a new entry for 10.0.11.1,
which is also correct ( the same was for BlackBerry and Windows ).
I perform few tests to check if the tunnel is actually working. All the
tests are performed on enc0 interface, which should inherit all IPSec
traffic.The sysctl parameters for enc0 interface are set according to
manual, to peel off the outer UDP packet header.
Test 1. I run the following command on client:
ping 192.168.11.1, which should ping the internal server's interface.
tcpdump -i enc0 on client shows non-decapsulated icmp request followed by
decapsulated icmp request.
tcpdump -i enc0 on server shows non-decapsulated icmp request only.
replies are not shown.
Test 2. I run the following command on server:
ping 10.0.11.1, which should ping the client's virtual VPN address.
tcpdump -i enc0 on client shows non-decapsulated icmp request,
non-decapsulated icmp reply and also decapsulated icmp reply.
tcpdump -i enc0 on server shows non-decapsulated icmp request,
non-decapsulated icmp reply and also decapsulated icmp request.
In any case, on any box, ping utility reports 100% packet loss.
I am wondering if it is bug in kernel, or strongswan, or the wrong setup.
Seems like there are some problems with decapsulation, because in most
cases I do not see decapsulated packet.
Any response will be really appreciated.
More information about the freebsd-questions