<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>> As suggested in my previous mail, you should check if the hosts on the<br>> LAN have a route to return packets to the IPsec clients.<br><br>Thanks for your prompt reply. I have strongswan running on my lan router, which is acting as a gateway, dhcp server to the entire network. I have not manually added any routes, because as I understood the documentation on forwarding, no manually added routes were required - "<strong>The virtual IPs are from a distinct subnet</strong>: If the VPN gateway is the <strong>default gateway</strong> of the accessed LAN nothing special has to be done." (http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling). <br><br><br>> Are you using the default updown script to install these rules? Adding<br>> some debug logs to your script might help.<br><br>I am running the default scripts that came with the strongswan package.<br><br><br>>What does "ipsec statusall" show when such a tunnel is up?<br><br>Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):<br> uptime: 7 minutes, since Sep 18 07:58:25 2013<br> malloc: sbrk 221184, mmap 0, used 187616, free 33568<br> worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 2<br> loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity<br>Virtual IP pools (size/online/offline):<br> 10.10.10.0/24: 254/1/0<br>Listening IP addresses:<br> 99.234.220.200<br> 192.168.16.50<br>Connections:<br> z10: myhost.com...%any IKEv2<br> z10: local: [C=CA, O=none, CN=server] uses public key authentication<br> z10: cert: "C=CA, O=none, CN=server"<br> z10: remote: [C=CA, O=none, CN=z10] uses public key authentication<br> z10: child: 0.0.0.0/24 === dynamic TUNNEL<br>Security Associations (1 up, 0 connecting):<br> z10[2]: ESTABLISHED 7 minutes ago, 99.234.220.200[C=CA, O=none, CN=server]...24.114.94.100[C=CA, O=none, CN=z10]<br> z10[2]: IKEv2 SPIs: ddf237166cae8ed5_i fb3ef59124377fba_r*, public key reauthentication in 48 minutes<br> z10[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048<br> z10{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c7133340_i d518991a_o<br> z10{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 6 minutes<br> z10{1}: 0.0.0.0/24 === 10.10.10.1/32<br><br>The only thing I can see coming through the tunnel are keep-alive requests.<br><br><div>> Subject: Re: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10<br>> From: martin@strongswan.org<br>> To: gawd0wns@hotmail.com<br>> CC: users@lists.strongswan.org<br>> Date: Wed, 18 Sep 2013 10:23:18 +0200<br>> <br>> Hi,<br>> <br>> > Tcpdump is clearly showing the packets making their way to the client<br>> > (on my wan and lan), though I do not see anything coming back in<br>> > return.<br>> <br>> As suggested in my previous mail, you should check if the hosts on the<br>> LAN have a route to return packets to the IPsec clients.<br>> <br>> > Why did strongswan insert these rules<br>> <br>> Because you have defined leftfirewall=yes or leftupdown?<br>> <br>> > and what do they mean?<br>> <br>> These rules enable forwarding of traffic coming in / going out of the<br>> tunnel should you have a DROP policy.<br>> <br>> > Neither my client device or my strongswan server are on the<br>> > 67.215.65.0/24 ip range. I have no idea where strongswan is getting<br>> > this 67.xxx network range.<br>> <br>> Are you using the default updown script to install these rules? Adding<br>> some debug logs to your script might help.<br>> <br>> What does "ipsec statusall" show when such a tunnel is up?<br>> <br>> Regards<br>> Martin<br>> <br></div> </div></body>
</html>