Questions tagged as ['ipsec']

IPsec (Internet Protocol Security) is a protocol for securing IP communications by authenticating and encrypting each IP packet of a communication session.
Score: 0
deann avatar
Issues configuring strongSwan client on AWS instance for site-to-site VPN
ru flag

I am trying to setup a IPSec VPN client on a debian-10 AWS instance.

Unfortunately, I do not have access to the VPN server as it is configured by another party, so all I know is they told me it is configured for my my-aws-public-ip.

I am trying to use a Strongswan - Linux strongSwan U5.7.2/K4.19.0-16-cloud-amd64

Here is my conf file:

config setup

conn vpn
Score: 0
MaxPer avatar
OpenSwan GW not routing VLAN traffic through tunnel
pk flag

I do have a tunnel configured using OpenSwan on a side and libreswan on the other. The issue seems to be on the openswan side, where I do have 2 subnets, one for the main interface, the other is on a VLAN let's say: eth0 eth0.22 on the other side I do have eth' tunnel on the two sides are configured properly.

conn standard_interface
   also=common_pa ...
Score: 0
Kyle Champoux avatar
I can't get my WIreguard tunnel to complete a handshake
cn flag

I'm trying to setup a point-to-site wireguard tunnel between two different points on two seperate networks, but have setup similar tunnels setup in similar situations so I don't believe it has anything to do with the infrastructure between my tunnel's endpoints.

On one side I have a vm Windows Client with the following configuration

PrivateKey = iOoRnq+ngYGZFGpSqnRGgBsUvh9AVtWAXZGEw2Ir1FI= ...
Score: 0
Failure connecting Mikrotik to Strongswan using IPSec
be flag

hope you are doing well.

I am trying to connect a Mikrotik RB2011RM to Strongswan running on a cloud server. I cannot get past Phase 1.

I have searched through google and found some great examples and still cannot figure out what is the problem. Right now I have an example from Strongswan setup will no luck still.

Hoping someone can help me figure out what I am doing wrong.

Here are the particulars:

Score: 0
IPSec Netgear BS200 and Linksys LRT214 - Can't reach devices
ng flag

I have set up the first time an IPSec site to site tunnel.
The tunnel is up and running from a Netgear BR200 and the Linksys LRT214 Router.
Network 1 has 192.168.100.x and the Network 2 has 192.168.1.x!

Linksys displays "connected" and in the Netgear router I see the green connection icon.

Now I try to open the routers webinterface from Network 2 on the Server ( on Network 1.
After enter ...

Score: 0
Kyle Champoux avatar
Strongswan: {parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]} and {recieved NO_PROPOSAL_CHOSEN notify error}
cn flag

I am getting the feeling that I have just done somethign very silly on my end but I have no idea what is going on. For context, I have been using wireguard for a bit and am much more knowledgable than this. For a class, I have been told to make a site-to-site ipsec tunnel ebtween two nodes with no instruction. I've been trying to read what I can to understand how this works, and search for people who ha ...

Score: 0
GCP Route in IPSec VPN between AWS TGW and GCP
by flag

I am setting up IPSec VPN with BGP between AWS and GCP. On the AWS side, I am using TGW. It is a HA VPN with two Site-to-Site-VPN on AWS side. There 4 tunnels in total. As confirmed from both the AWS side and the GCP side, all the 4 tunnels are "UP" and BGP is working in all 4 of them.

When I previously used Virtual-Private-Gateway on the AWS side to set up 4x HA IPSec VPN Tunnels to GCP, the rou ...

Score: 0
Strongswan VPN certificate authentication failed
sz flag

I've installed strongswan vpn on my ubuntu server. Set up certificate authentication. I've set up my android-phone and it works fine. But connection didn't established on the windows machine. I copied ca-cert into root ca and client certificate into personal store. But I get an error 13806 (wrong certificate). What am i doing wrong?


config setup
        # strictcrlpolicy=yes
        un ...
Score: 0
Sagar Jain avatar
IPSec established but cannot ping remote LAN
fr flag

I have successfully established IPSec in my OpenWrt router but I am unable to ping the remote subnet. Below are the related files

cat ipsec.conf

conn vpn3
  keyingtrie ...
Score: 0
clam37 avatar
Traffic not tunneled/forwarded using StrongSwan
ar flag


I am new to strongswan and I like to set strongswan in a road warrior configuration.

My moon network is an AWS VPC with CIDR block Inside that network, my VPN gateway is an EC2 instance located on a public subnet with a public IP X.X.X.X

On the moon network I have an HTTP server with IP 172.31.X.X listening for requests on port 80.

My carol host is also an EC2 instance located  ...

Score: 0
P1r4nh4 avatar
Site-to-Site VPN and Remote Access VPN with Strongswan
in flag

I've recently deployed a Strongswan IKEv2 Remote Access VPN in two different sited with two different ubuntu servers. It all works great, but now i want to "merge" the two sites with a site-to-site vpn, so that i can leave only one Remote Access VPN and access both subnets. The issue is how to do it? My idea was an IPSec Tunnel using strongswan between the two sites and static routing on both sites rout ...

Score: 0
alex avatar
How to link ipsec clients with different connections in StrongSwan?
my flag

I use strongswan ipsec as VPN gateway for mobile devices (Android). In StrongSwan config I've setup 2 connections (two different subnets, with different routing policies) for 2 different groups of users.

And I don't understand (and can't find in manuals and forums) how to link user with connection. Where and how to setup a strict user>connection relation ?

Thank you! ...

Score: 1
Flo avatar
Strongswan / Ipsec multiple roadwarrior connections different subnets
ph flag

I'm trying to setup a StrongSwan VPN Server which should host multiple (Windows 10 - internal vpn client) roadwarrior connections, but different subnets, depending on the clients certificate.

root@VPN:/# ipsec version

Linux strongSwan U5.8.2/K5.4.0-26-generic

My setup has 2 pairs of public and private key, using a different CNs let's say and The used ipsec.conf

Score: 0
TheJ avatar
Connecting all vpn clients into a single network
in flag

I have a Ubuntu server with IKEv2 VPN configured. I have 2 (will be more) Windows clients, that can connect to VPN.

I want them all to be "bridged", like they are all physically connected to the same switch, but Strongswan does not create interfaces for the clients, so i have no idea how to do it.

Bonus points for the clues how to connect this "LAN" to the internet.

upd: not bridged, i need layer3 only.

Score: 0
How is IPsec (strongswan) working without opening ports in UFW?
it flag

I needed to setup a site-to-site VPN between servers A and B, where server A is being managed by me and server B is being managed by a client. Server A is running Ubuntu 20.04 and I am using strongswan to setup the VPN on my end. I am using UFW to manage server A's firewall.

Public IP address of A: 16.XX.XXX.17 Public IP address of B: 14.XXX.XXX.94

Now after making the necessary configuration changes fo ...

Score: 0
elfamosomojito avatar
Strongswan clear traffic issue
kr flag

I have 2 raw Debian 11 VMs connected with an internal network on VirtualBox (see the diagram below). Both VMs have 2 network interfaces (the tunnel-side interface and the private network one). I installed Strongswan on both and set up a very basic PSK-based tunnel between both. No further config has been done (no FW installed, etc).

The tunnel is up. At first, when pinging from, say,  ...

Score: 1
MegaBrutal avatar
NFS insists to send packets over MTU, nftables might be the solution
id flag

I have an NFS mount over a Strongswan IPSec tunnel, which is encapsulated in a 6to4 tunnel. The IPSec is because I need encryption for NFS traffic, the 6to4 is because the VPS provider won't assign a native IPv6 prefix to my server. Because I had MTU problems with the 6to4 tunnel, I had to lower the MTU on the tunnel interface to the minimum (1280 – if I try to set anything lower, I get an "Error: mtu ...

Score: 0
jcnoe avatar
Ping across IPSec tunnel sends both ICMP and ESP packets
cn flag

I've been using Strongswan to setup an IPSec tunnel between two units. The tunnels SAs get setup without any issues and traffic can pass across the connection.

Whenever I ping across the tunnel, the ping request is sent as BOTH an ESP and ICMP packet. The ping response is always just an ESP packet. Looking at these packets with Wireshark, it seems like the ping request sends two packets, one enca ...

Score: 1
BritanyTaylor avatar
AWS/Strongswan-Ubuntu Site to Site Tunnel Cannot Ping Remote
in flag

Ubuntu (Linode) Strongswan 5.6.2 Connecting to AWS (site to site).

  1. I can ping from AWS endpoint to Ubuntu VPN.
  2. I cannot ping from AWS endpoint to Ubuntu endpoint.
  3. I cannot ping from Ubuntu VPN to AWS anything.

Ubuntu (VPN) public: | Ubuntu (VPN) private:

AWS (VPN) public: | AWS (VPN) private:

AWS (endpoint) private:

Ubuntu (endpoint ...

Score: 0
Azure VPN <> Head Office <> OpenVPN - No Communication
br flag

To give some idea of the network architecture and the issue;

Head Office has a Pfsense firewall with a site-to-site IPSec VPN connection to some virtual machines in Azure. When on site ( I have no issues communicating to the Azure VNET ( or its VM's.

Remote users connect to head office using OpenVPN on Pfsense ( can access site resources but can't see the Az ...

Score: 0
Rino Bino avatar
Firewall device running IPSec VPN cannot traverse VPN, but other hosts behind it can
us flag

I have a hardware device (netgate brand) that acts as the firewall/router for my LAN.

It has an IPSec VPN connection to AWS VPC.

  • All hosts in the LAN can traverse the IPSec VPN successfully. Traffic flows back & forth fine.
  • The firewall device itself cannot.
  • All routes look ok
  • No security groups/firewalls are blocking anything at all right now during testing.

Is there any special trick or rules tha ...

Score: 0
VPN IPsec site connection sporadically lost data between Openstack VPN and a Checkpoint firewall
in flag

We have established an IPsec VPN site connection from our Openstack to a Check Point firewall device.

The tunnel is UP but sporadically the connection has "breaks". We already checked between the configs on both sides if anything was different but that doesn't seem to be the case.

But even though the configuration is the same on both sides, the breaks are still there.

On the Openstack side we are using  ...

Score: 0
Unable to authenticate with IPsec tunnel on FortiGate via Windows native client
us flag

I have setup an IPsec tunnel on our FortiGate 51E (FortiOS v6.2.10 build1263 (GA)) and I am able to connect via my Windows native client, however when I am asked for a username and password, I am getting the error "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access s ...

Score: 0
Make traffic between IPSec end-points and Internet via Cisco CSR1000v
tn flag

I made an IPsec tunnel between our CSR 1000v (AWS) and the LTE service provider router (ASR) and I can ping both sides of Tunnel with the following architecture:

           |<---> internet <---> web server
CSR 1000v: |GigabitEthernet1 (mapped to Elastic IP 54.154.54.AAA)
           |GigabitEthernet2 (private sub-net)
ASR: (mapped  ...
Score: 0
jamacoe avatar
No internet IP routing on Windows 10 client connected to LT2P/IPsec VPN on Windows 2019 server
kr flag

I have set up a VPN from a Windows 10 client to a Windows 2019 server. After connecting using rasdial <VPN NAME> <USER NAME> <PASSWORD> I sucessfully issue a net use <DriveLetter>: \\<Server-Name>\<Path>. However, with the default setting, the client machine has no more ordinary internet access. So I followed ...

Score: 0
Routing traffic from Server A via VPN Server B
ph flag

I have IPSec (Libreswan) Server B ( and a Server A ( within the same network. Both servers have only one external network interface. I want to route the packets from Server A with source IP belonging to remote network (, right side of IPSec) via Server B.

Server A ====> Server B == IPSEC ==> Remote IP

I add a route on server A like:

ip route add via 10. ...

Score: 0
Piotr Płaczek avatar
Connect to en /ext host of Fortinet VPN with Ubuntu
ru flag

I have used openfrotivpn many times but I have never been able to properly configure such a vpn in the network manager.

Unfortunately, now I have to connect to host [some ip]/ext (e.x. and i can't do that even via cli. It is possible only using 'original' FortiClient.

How should I configure my network manager in this case? I want to be able to quick connect with this vpn just like ...

Score: 0
joe_shmo avatar
IPSec iptables rules for local service
in flag

I have a StrongSwan IPSec remote access server running on RHEL and a client all on the same local network. I have a Samba server running on the same RHEL host that I want to be available through the VPN but not outside the tunnel. I can get the IPSec tunnel up successfully (had to make a MacOS profile with Apple Configurator2 enabling Perfect Forward Security in order to have a ciphersuite match) but I  ...

Score: 0
Jason Frazee avatar
Routing IPsec VPN traffic through NAT
sx flag

We are using UFW and are trying to wrap our head around IPtable rules. We are trying to have a NAT rule on both VPN 1 and VPN 2 that contains arbitrary IP addresses to therefore route traffic to and

Currently test server 1 can curl test server 2 using the IP from VPN Instance 1. We would like to have inbound NATing instead of using masquerading.

We want to use NAT a ...

Score: 0
does google cloud support ipsec encapsulated gre tunnels
ng flag

I can't seem to get a pim set up on google cloud where multicast traffic is sent over a ipsec encapsulated gre tunnel.

Does google cloud ec2 instances and network block this type of traffic?