Strongswan: Interface starts replying to all ARP requests

Publication date: 2019-07-25

Issue: Interface starts replying to all ARP requests, even for unknown IPs

The physical interface of a virtual machine running Strongswan starts replying to all ARP requests seen. This happens after some time and disrupts communication in the Ethernet segment. It did not seem related to Strongswan. The behavior reminds of ProxyARP but ProxyARP is disabled.

Solution: Reconfigure Strongswan

I did lots of unsuccessful attempts to stop this behavior:

Testing different ARP announce settings: arp_announce=1/2, arp_ignore=1/2, arp_filter=1
Changing VirtIO Net to E1000
Changing MAC address
Removing interface IP address
Disabling multicast, promisc mode for that interface
Filtering ARP with nftables

What I did not try is filtering ARP in QEMU (see https://libvirt.org/firewall.html) since I've finally found the root cause:

StrongSwan has an farp plug-in. This causes the undesired behaviour. It just needs to be disabled to get rid of the problem. Under Alpine Linux it can be disabled in "/etc/strongswan.d/charon/farp.conf".

Hint towards the solution

Others experienced the same trouble: "Incoming arp-requests on an independent interface are incorrectly answered by farp plugin.", described in https://github.com/openvnf/vnf-ipsec/issues/11.