SUSE,Firewal,strongswan: packet not using tunnel

I am trying to set up a VPN tunnel between 2 sites, like this

remoteA – vpnA — Internet — vpnB — remoteB

vpnA and vpnB have publicIP
vpnA and remoteA have privateIP (1 subnet)

Actually, I was able to get the tunnel up
net-net1[1]: ESTABLISHED 22 minutes ago, [xxx]…[yyy]
net-net1[1]: IKE SPIs: e94a8711bfc6cfe0_i* 4f199ccf7cffb49b_r, pre-shared key reauthentication in 32 minutes
net-net1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
net-net1{1}: INSTALLED, TUNNEL, ESP SPIs: ca7f5d3d_i 27d80a67_o
net-net1{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 31 minutes

BUT, when I try to ping remoteB from remoteA/vpnA,
FAIL and based on my check using tcpdump at vpnA,
the packet is not through the tunnel, may be using default gateway instead
(correct me if I am wrong, but I can’t see any encryption notation, only ICMP message)

Unfortunately, I can’t perform any test from the other side
(vpnB and remoteB is handle by other party, they insist remoteB can be reach from vpnB)

Anyway, I had check all related at site A
ipsec statusall
ipsec listall
ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L

so far, all are consistent with the sample shown in
and even the routing in ‘ip route list table 220’ does provide the routing to remoteB, even though not defined in static route

What I did at vpnA
I did not define default gateway (hence no routing for
only static routing to vpnB publicIP routed to vpnA internet GatewayIP
(In hope that routing to remoteB is not using default gateway)

Once the tunnel up, the routing for remoteB is automated as in ‘ip route list table 220’
via dev eth0 proto static src

However, I can not ping remoteB successfully and

  1. vpnB said no packet is seen in the log
  2. even the log/messages at vpnA shown nothing related to charon or pluto activity

Hence, I kindda like confuse
Is the ping packet go through the tunnel or not?

I tried to google around and read all related FAQs, but can’t find any concrete answer

Hence, I am seeking the wisdom of this forum

Anyway: here is what I used at vpnA, (in summary to make it short)
SUSE Linux Enterprise Server 11 (x86_64)
SuSEfirewall2 version 3.6 - set privateIP intf as DMZ, publicIP intf as External, masquerade enable
strongSwan U4.4.0 - use the example at


It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

Be sure to read the forum FAQ about what to expect in the way of responses:

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team

Is IP forwarding enabled on vpnA? i.e. what is the output of:

# sysctl net.ipv4.ip_forward