<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<meta charset="utf-8">
<p style="margin: 0px 0px 1em; padding: 0px; border: 0px; font-size:
14px; vertical-align: baseline; background-color: rgb(255, 255,
255); clear: both; word-wrap: break-word; color: rgb(0, 0, 0);
font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 18px; orphans: auto;
text-align: left; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;">Hi <br>
</p>
<p style="margin: 0px 0px 1em; padding: 0px; border: 0px; font-size:
14px; vertical-align: baseline; background-color: rgb(255, 255,
255); clear: both; word-wrap: break-word; color: rgb(0, 0, 0);
font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 18px; orphans: auto;
text-align: left; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;">I'm running Barrier Breaker version of OpenWRT and I
have setup a VPN according to:<a
href="http://wiki.openwrt.org/inbox/strongswan.howto"
rel="nofollow" style="margin: 0px; padding: 0px; border: 0px;
font-size: 14px; vertical-align: baseline; background-color:
transparent; color: rgb(69, 101, 131); text-decoration: none;
cursor: pointer; background-position: initial initial;
background-repeat: initial initial;">http://wiki.openwrt.org/inbox/strongswan.howto</a><span
class="Apple-converted-space"> </span>I can connect to the VPN
with my iPhone or Mac (to 10.10.1.0/24 network). I can also
connect from Windows 7. An IP is allocated to the client
successfully using DHCP. <br>
Once connected I can't access anything on the network.
/etc/firewall.user contains:</p>
<pre style="margin: 0px 0px 10px; padding: 5px; border: 0px; font-size: 14px; vertical-align: baseline; background-color: rgb(238, 238, 238); font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; overflow: auto; width: auto; max-height: 600px; color: rgb(0, 0, 0); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-position: initial initial; background-repeat: initial initial;"><code style="margin: 0px; padding: 0px; border: 0px; font-size: 14px; vertical-align: baseline; background-color: rgb(238, 238, 238); font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monos
pace, serif; background-position: initial initial; background-repeat: initial initial;"># This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
# Enable ssh and HTTP to router
iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT 1 -p tcp --sport 22 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT 1 -p tcp --sport 80 -j ACCEPT
</code></pre>
<p style="margin: 0px 0px 1em; padding: 0px; border: 0px; font-size:
14px; vertical-align: baseline; background-color: rgb(255, 255,
255); clear: both; word-wrap: break-word; color: rgb(0, 0, 0);
font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 18px; orphans: auto;
text-align: left; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;">/etc/ipsec.conf contains:</p>
<pre style="margin: 0px 0px 10px; padding: 5px; border: 0px; font-size: 14px; vertical-align: baseline; background-color: rgb(238, 238, 238); font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; overflow: auto; width: auto; max-height: 600px; color: rgb(0, 0, 0); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-position: initial initial; background-repeat: initial initial;"><code style="margin: 0px; padding: 0px; border: 0px; font-size: 14px; vertical-align: baseline; background-color: rgb(238, 238, 238); font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monos
pace, serif; background-position: initial initial; background-repeat: initial initial;"># ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%any
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=%any
rightsubnet=10.10.1.0/24
rightsourceip=%dhcp
rightcert=clientCert.pem
forceencaps=yes
auto=add
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
conn win7
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=serverCert.pem
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@xxx.yyy.com">leftid=@xxx.yyy.com</a>
leftfirewall=yes
right=%any
rightauth=eap-mschapv2
rightsendcert=never
rightsubnet=10.10.1.0/24
rightsourceip=%dhcp
eap_identity=%any
auto=add
</code></pre>
<p style="margin: 0px 0px 1em; padding: 0px; border: 0px; font-size:
14px; vertical-align: baseline; background-color: rgb(255, 255,
255); clear: both; word-wrap: break-word; color: rgb(0, 0, 0);
font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 18px; orphans: auto;
text-align: left; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;">(The real domain name of the router has been replaced
above with xxx.yyy.com).</p>
<p style="margin: 0px 0px 1em; padding: 0px; border: 0px; font-size:
14px; vertical-align: baseline; background-color: rgb(255, 255,
255); clear: both; word-wrap: break-word; color: rgb(0, 0, 0);
font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 18px; orphans: auto;
text-align: left; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;">/etc/strongswan.conf contains:</p>
<pre style="margin: 0px 0px 10px; padding: 5px; border: 0px; font-size: 14px; vertical-align: baseline; background-color: rgb(238, 238, 238); font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; overflow: auto; width: auto; max-height: 600px; color: rgb(0, 0, 0); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-position: initial initial; background-repeat: initial initial;"><code style="margin: 0px; padding: 0px; border: 0px; font-size: 14px; vertical-align: baseline; background-color: rgb(238, 238, 238); font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monos
pace, serif; background-position: initial initial; background-repeat: initial initial;"># strongswan.conf - strongSwan configuration file
charon {
dns1 = 10.10.1.1
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
dhcp {
server = 10.10.1.1
}
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
</code></pre>
<p style="margin: 0px 0px 1em; padding: 0px; border: 0px; font-size:
14px; vertical-align: baseline; background-color: rgb(255, 255,
255); clear: both; word-wrap: break-word; color: rgb(0, 0, 0);
font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 18px; orphans: auto;
text-align: left; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;">When I connect with both Windows 7 and also iPhone ipsec
status on router shows:</p>
<pre style="margin: 0px 0px 10px; padding: 5px; border: 0px; font-size: 14px; vertical-align: baseline; background-color: rgb(238, 238, 238); font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; overflow: auto; width: auto; max-height: 600px; color: rgb(0, 0, 0); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-position: initial initial; background-repeat: initial initial;"><code style="margin: 0px; padding: 0px; border: 0px; font-size: 14px; vertical-align: baseline; background-color: rgb(238, 238, 238); font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monos
pace, serif; background-position: initial initial; background-repeat: initial initial;">Security Associations (2 up, 0 connecting):
ios[5]: ESTABLISHED 4 seconds ago, xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=xxx.xxx.com]...xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=client]
ios{5}: INSTALLED, TUNNEL, ESP in UDP SPIs: c8618e27_i 0923f471_o
ios{5}: 0.0.0.0/0 === 10.10.1.89/32
win7[4]: ESTABLISHED 45 seconds ago, xxx.xxx.xxx.xxx[xxx.xxx.com]...xxx.xxx.xxx[192.168.191.131]
win7{4}: INSTALLED, TUNNEL, ESP in UDP SPIs: cae3b4a6_i 67f3eaf0_o
win7{4}: 0.0.0.0/0 === 10.10.1.0/24
</code></pre>
<p style="margin: 0px 0px 1em; padding: 0px; border: 0px; font-size:
14px; vertical-align: baseline; background-color: rgb(255, 255,
255); clear: both; word-wrap: break-word; color: rgb(0, 0, 0);
font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 18px; orphans: auto;
text-align: left; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;">(Sensitive ips and domain names replaced with xxx)</p>
<p style="margin: 0px 0px 1em; padding: 0px; border: 0px; font-size:
14px; vertical-align: baseline; background-color: rgb(255, 255,
255); clear: both; word-wrap: break-word; color: rgb(0, 0, 0);
font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 18px; orphans: auto;
text-align: left; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;">Any ideas on why packets are not being routed over the
vpn?</p>
<p style="margin: 0px 0px 1em; padding: 0px; border: 0px; font-size:
14px; vertical-align: baseline; background-color: rgb(255, 255,
255); clear: both; word-wrap: break-word; color: rgb(0, 0, 0);
font-family: Arial, 'Liberation Sans', 'DejaVu Sans', sans-serif;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 18px; orphans: auto;
text-align: left; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;
background-position: initial initial; background-repeat: initial
initial;">Could this be a NAT thing?<br>
<br>
</p>
</body>
</html>