Showing results for 
Search instead for 
Did you mean: 

routing LAN client traffic through a tunnel - route base IPSEC

Hello Everyone 

I have a scenario which I open an ipsec tunnel Strongswan(initiator) Vs Cisco FlexVPN as a hub (responder).

I'm also using dynamic IP configuration to get tunnel IP address from the Cisco pool adress.


Then tunnel is in ESTABLISHED state , but I can't route traffic from the Cisco hub to my linux device via the tunnel.
There is reachability from the Cisco device to the tunnel IP address that was received from Cisco device.
I am using left/right subnets as any/any , and for the example I got Tunnel IP address form Cisco which I put on the VTI device...

In parallel I'm using same setup Cisco Vs Cisco where everything is ok all traffic pass ok.

Some info:
1. In Cisco HUB shows - Virtual-Access1 is the connection to Cisco initiator , Virtual-Access2 is the connection to the Linux device initiator
2. show crypto ikev2 sa detailed:

  • a. In Cisco initiator : Dynamic Route Update: enabled
  • b. In Linux initiator : Dynamic Route Update: disabled

3. In show crypto ipsec sa:

  • a. Cisco initiator Virtual-Access2 remote ident is: (
  • b. Linux initiator Virtual-Access2 remote ident is: (

4. In Strongswan ipsec statusall:

  • a. The policy was set to leftsubnet= but shows as: crypto-map-tunnel1_58010001{8724}: ===

I can only ping the address that I got form the Cisco and not any other LAN (see Cisco routing table attached)... i see that the Cisco Hub is narrowing the policy for only this IP which is not good to me becouse i want to run bgp on this dynamic address.


please if any one can advice , hope i made my problem clear.

thanks in advance