Strongswan and USG40 setup

popa Posts: 2
First Comment
edited April 2021 in Security
Hi Guys,

I have setup an IPsec tunnel (with VTI interfaces) between a USG40 and a linux box (using strongswan). Both phases of the tunnel complete successfully and the tunnel is fully UP. Below is a schematic of the setup:

So the problem is that when I ping the USG40's VTI interface from the remote server, the USG receives it and replies to it, but it never gets back to the server. I did a packet capture on the USG's VTI int, and below is the output:

20:00:38.855199 IP (tos 0x0, ttl 64, id 19789, offset 0, flags [DF], proto ICMP (1), length 84) > ICMP echo request, id 15142, seq 42, length 64
20:00:38.855708 IP (tos 0x0, ttl 64, id 51490, offset 0, flags [none], proto ICMP (1), length 84) > ICMP echo reply, id 15142, seq 42, length 64

The RX and TX for the USG int is incrementing with each ping, and a nestat -i on the server VTI int shows TX hits but no RX hits.

I've made ALL secure-policy rules permissive, so default is allow all traffic to ensure that no rule is blocking traffic. The logs confirm that traffic is being "forwarded" (ACCESS FORWARD).

Here the strongswan config for anyone interested:

conn swiss1
        leftupdown="/usr/local/sbin/ --sourceip --mtu 1370"

Please advise.


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,178
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
     Zyxel Employee
    Hi @popa,
    A quick question, is Linux server running as NAT router(with two NIC)to establish site to site VPN ? or it just simple host to connect USG to access USG subnet?
    Client to site(host to subnet) or Site to site(subnet to subnet)?
  • popa
    popa Posts: 2
    First Comment
    Thanks for the response.
    Managed to sort it out. Turned out the ISP was dropping the ESP packets. Using a different provider fixed the issue.

Security Highlight