I've raised this on the StrongSwan list over the last several weeks, but with no reply so far - hence I'm raising the question here as well to gain a broader audience. I have been experimenting with Strongswan as an implmentation of IKEv2 (my ultimate interest is also in its implementation of mobile IPv6, but that's not of immediate concern). If I set up an IPSec tunnel with StrongSwan 4.5.2 between my laptop and an external host (or a virtual machine and another host with a single network interface such as eth0) all appears to work; but my desktop machine has both eth0 and ppp0 interfaces. The tunnel appears to be established correctly on both sides and the IPSec policy appears to be correct, but my machine can't send packets over the tunnel. The kernel log contains messages regarding pmtu discovery, and packet monitoring shows that neighbour discovery packets are being sent out the eth0 interface rather than ppp0, i.e., if I try to ping the remote host over the tunnel, I get a lot of neighbour discovery packets on eth0, whereas the traffic needs to be routed through the ESP encapsulation to ppp0 and onward to the destination. Obviously I can provide much more detail; the main problem at this stage is how to bring the problem to the attention of someone who is familiar with Linux IPSec sufficiently to identify the cause. I may yet get a response on the strongSwan list, of course.