Hi guys,

have a weird problem where I get my OpenWrt router up and running an LAn to Lan IPSEC tunnel vs a Firewall.

From the Firewall's LAN I can ping and reach the hosts on the router's LAN, but not the opposite.

Sniffing the WAN link I can see that when the Firewall's hosts are pinging the traffic is, as expected, ESP encapsulated, but when the router's host try to ping the remote end the traffic is a pure routing (not tunnelled inside the VPN)... Why is my router not putting this traffic inside the VPN???

Could be an iptables issue but, while not an expert, can't even guess what's wrong...

Here I post some data, hope somebody can help in finding out.  If more details are needed will be happy to amend.

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.20.0/24      192.168.1.0/24       policy match dir in pol ipsec reqid 1 proto esp
ACCEPT     all  --  192.168.1.0/24       192.168.20.0/24      policy match dir out pol ipsec reqid 1 proto esp
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_lte_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_eth_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_ovpn_fw_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */


root@Router4G:/# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.14, mips):
  uptime: 28 hours, since Oct 02 10:14:40 2017
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc hmac ctr attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic dhcp
Listening IP addresses:
  192.168.1.1
  fd1e:3846:5d4d::1
  1.1.1.1
Connections:
     lan2lan:  1.1.1.1...1.1.1.2  IKEv1
     lan2lan:   local:  [1.1.1.1] uses pre-shared key authentication
     lan2lan:   remote: [1.1.1.2] uses pre-shared key authentication
     lan2lan:   child:  192.168.1.0/24 === 192.168.20.0/24 TUNNEL
Routed Connections:
     lan2lan{1}:  ROUTED, TUNNEL, reqid 1
     lan2lan{1}:   192.168.1.0/24 === 192.168.20.0/24
Security Associations (1 up, 0 connecting):
     lan2lan[44]: ESTABLISHED 35 minutes ago, 1.1.1.1[1.1.1.1]...1.1.1.2[1.1.1.2]
     lan2lan[44]: IKEv1 SPIs: f0a0332e2040ec05_i 268f4fb7cb662b03_r*, pre-shared key reauthentication in 18 minutes
     lan2lan[44]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
     lan2lan{119}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8030980_i 2235750e_o
     lan2lan{119}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 8 minutes
     lan2lan{119}:   192.168.1.0/24 === 192.168.20.0/24