<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>> > z10{1}: 0.0.0.0/24 === 10.10.10.1/32<br>> <br>> Doesn't look like a valid subnet for your local side. What is your<br>> leftsubnet configuration?<br><br>During this connection attempt, I had leftsubnet set to 0.0.0.0/0. I have been trying different settings to see if it would have an effect. When I set the subnet to my actual LAN subnet, (leftsubnet=192.168.16.0/24), it doesn't work either. Here is the ipsec statusall output when it is set to my actual subnet:<br><br>Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):<br> uptime: 3 minutes, since Sep 18 19:13:10 2013<br> malloc: sbrk 221184, mmap 0, used 189456, free 31728<br> worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 2<br> loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity<br>Virtual IP pools (size/online/offline):<br> 10.10.10.0/24: 254/1/0<br>Listening IP addresses:<br> 99.234.220.200<br> 192.168.16.50<br>Connections:<br> z10: myip.com...%any IKEv2<br> z10: local: [C=CA, O=none, CN=server] uses public key authentication<br> z10: cert: "C=CA, O=none, CN=server"<br> z10: remote: [C=CA, O=none, CN=z10] uses public key authentication<br> z10: child: 192.168.16.0/24 === dynamic TUNNEL<br>Security Associations (1 up, 0 connecting):<br> z10[1]: ESTABLISHED 3 minutes ago, 99.234.220.200[C=CA, O=none, CN=server]...24.114.94.100[C=CA, O=none, CN=z10]<br> z10[1]: IKEv2 SPIs: b44384ec9af2275b_i 9c09709370559f7d_r*, public key reauthentication in 52 minutes<br> z10[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048<br> z10{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c5ab637d_i 633e50d9_o<br> z10{1}: AES_CBC_256/HMAC_SHA2_256_128, 384 bytes_i, 0 bytes_o, rekeying in 11 minutes<br> z10{1}: 192.168.16.0/24 === 10.10.10.1/32<br><br>Some additional output:<br>root:/opt/etc# ip route list table 220<br>10.10.10.1 via 99.234.220.1 dev vlan2 proto static src 192.168.16.50<br><br>My output from iptables -L doesn't look right, I have fewer rules than the configuration example on the strongswan website for gateway moon in a similar configuration (rw-cert): http://www.strongswan.org/uml/testresults/ikev2/rw-cert/moon.iptables<br><br>I have fewer FORWARD rules, and I don't see anything to allow esp (that I can tell).<br><br>root:/opt/etc# iptables -L<br>root@unknown:/opt/etc# iptables -L<br>Chain INPUT (policy DROP)<br>target prot opt source destination<br>ACCEPT udp -- anywhere anywhere udp dpt:4500<br>ACCEPT udp -- anywhere anywhere udp dpt:500<br>DROP all -- anywhere anywhere state INVALID<br>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED<br>shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW<br>ACCEPT all -- anywhere anywhere<br>ACCEPT all -- anywhere anywhere<br>ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc<br><br>Chain FORWARD (policy DROP)<br>target prot opt source destination<br>ACCEPT all -- 10.10.10.1 192.168.16.0/24 policy match dir in pol ipsec reqid 1 proto ipv6-crypt<br>ACCEPT all -- 192.168.16.0/24 10.10.10.1 policy match dir out pol ipsec reqid 1 proto ipv6-crypt<br>ACCEPT all -- anywhere anywhere<br>DROP all -- anywhere anywhere state INVALID<br>TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU<br>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED<br>wanin all -- anywhere anywhere<br>wanout all -- anywhere anywhere<br>ACCEPT all -- anywhere anywhere<br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination<br><br>Chain shlimit (1 references)<br>target prot opt source destination<br> all -- anywhere anywhere recent: SET name: shlimit side: source<br>DROP all -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source<br><br>Chain wanin (1 references)<br>target prot opt source destination<br><br>Chain wanout (1 references)<br>target prot opt source destination<br><br><br><br>How could those additional rules manually?<br><br><br><div>> Subject: Re: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10<br>> From: martin@strongswan.org<br>> To: gawd0wns@hotmail.com<br>> CC: users@lists.strongswan.org<br>> Date: Wed, 18 Sep 2013 14:34:11 +0200<br>> <br>> <br>> > z10{1}: 0.0.0.0/24 === 10.10.10.1/32<br>> <br>> Doesn't look like a valid subnet for your local side. What is your<br>> leftsubnet configuration?<br>> <br>> Possible that the updown script and/or iptables mess up with that.<br>> <br>> Regards<br>> Martin<br>> <br></div> </div></body>
</html>