<div dir="ltr"><div><div><div><div><div>Noel, thanks for hint.<br>I can't find sysctl command on my router. <br>But following is probably the same:<br>cat /proc/sys/net/ipv4/ip_forward<br>1<br></div>(assuming that 1 means enabled)<br>
<br></div>For accessing Hosts on the LAN I've tried following situation from the link you've provided:<br><i><strong>The virtual IPs are from the subnet behind the gateway</strong>: In this situation either the <a href="http://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin" class="">dhcp plugin</a> is used or the<br>
gateway assigns virtual IP addresses from a subnet of the whole LAN behind the gateway (distinct from the IP addresses<br>assigned via DHCP to other LAN hosts). If that is the case, the <a href="http://wiki.strongswan.org/projects/strongswan/wiki/Farpplugin" class="">farp plugin</a> must be used so that the hosts behind the<br>
gateway may learn that they have to send response packets to the VPN gateway.</i><br></div><br></div>So I've used dhcp to assign ip to client<br></div><div>strongswan.conf:<br>...<br></div>rightsourceip=%dhcp<div>...<br>
</div><div>And client(iPhone) got address from the LAN subnet, 192.168.2.24.<br></div><div>Farp plugin is also enabled - I can see it listed on "Loaded plugins:" when I execute "ipsec statusall" command.<br>
</div><div>But now I get error on my client(iphone): Negotiation with the VPN server failed.<br></div><div>And there are some new errors in charon log file:<br><a href="https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswan_log_1.txt">https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswan_log_1.txt</a><br>
</div><div><pre>Nov 7 09:05:46 13[NET] received packet: from <client.wan.ip.removed>[4500] to <wan.ip.was.removed>[4500] (300 bytes)
Nov 7 09:05:46 13[IKE] received retransmit of request with ID 1882702626, but no response to retransmit</pre></div><div>Any idea what's going on ? <br><br></div><div><div><br><div><div><br><div><br></div></div></div>
</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Nov 7, 2013 at 8:04 AM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Hello Luka,<br>
<br>
See <a href="http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a> For solutions to this problem.<br>
<br>
Regards<br>
Noel Kuntze<br>
<br>
Am 07.11.2013 07:54, schrieb Luka:<br>
<div class="im">> Hi.<br>
> I've successfully installed StrongSwan 5.0.4 IPsec server on my Asus RT-AC66U Firmware:3.0.0.4.374.34_2 (Merlin build), followed tutorial on:<br>
> <a href="http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)</a><br>
> I'm trying to achieve this(diagram):<br>
> <a href="https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png" target="_blank">https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png</a><br>
><br>
</div>> I can connect to vpn server with my iPhone, using Cisco IPsec, but problem is that*I can't access any of my home LAN IPs*.<br>
<div class="im">> Here is strongswan log file(removed IPs):<br>
> <a href="https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswancharon.log" target="_blank">https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswancharon.log</a><br>
><br>
> Router firewall is temporary disabled.<br>
> I probably need to add some iptables routes or something ?<br>
><br>
> Can someone tell me what should I put for left/right subnet and left/right ip ?<br>
> Here is my config:<br>
> Ipsec.conf file:<br>
><br>
> conn ios<br>
> keyexchange=ikev1<br>
> authby=xauthrsasig<br>
> xauth=server<br>
> left=%defaultroute<br>
> #left=%any<br>
> leftfirewall=yes<br>
</div>> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
> #leftsubnet=<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>><br>
> leftcert=server.pem<br>
> right=%any<br>
> rightsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><br>
> #rightsubnet=<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>><br>
<div class="im">> rightsourceip=10.0.0.2<br>
> #rightsourceip=%dhcp<br>
> rightcert=client.pem<br>
> #forceencaps=yes<br>
> auto=add<br>
><br>
><br>
> strongswan.conf file:<br>
><br>
> charon {<br>
><br>
> # number of worker threads in charon<br>
> threads = 16<br>
><br>
> dns1 = 192.168.2.1<br>
><br>
> plugins {<br>
> dhcp {<br>
> server = 192.168.2.1<br>
> }<br>
><br>
> }<br>
> }<br>
><br>
><br>
><br>
> ipsec statusall command:<br>
><br>
> ipsec statusall<br>
> Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):<br>
> uptime: 27 minutes, since Nov 06 22:32:15 2013<br>
> malloc: sbrk 225280, mmap 0, used 201584, free 23696<br>
> worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 5<br>
> loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity<br>
> Virtual IP pools (size/online/offline):<br>
</div>> 10.0.0.2 <<a href="http://10.0.0.2" target="_blank">http://10.0.0.2</a>>: 1/1/0<br>
<div class="im">> Listening IP addresses:<br>
> <wan.ip.removed><br>
> 192.168.2.1<br>
> 10.8.2.1<br>
> 10.8.0.6<br>
> Connections:<br>
> ios: %any...%any IKEv1<br>
> ios: local: [C=CA,... <removed>] uses public key authentication<br>
> ios: cert: "C=CA,... <removed>"<br>
> ios: remote: [C=CA, ... <removed>] uses public key authentication<br>
> ios: cert: "C=CA,... <removed>"<br>
> ios: remote: uses XAuth authentication: any<br>
</div>> ios: child: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> === <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> TUNNEL<br>
<div class="im">> Security Associations (1 up, 0 connecting):<br>
> ios[4]: ESTABLISHED 23 seconds ago, <wan.ip.removed>[C=CA,... <removed>]...<iphone.wan.ip.removed>[C=CA,... <removed>]<br>
> ios[4]: Remote XAuth identity: <removed><br>
> ios[4]: IKEv1 SPIs: 884d6e82b7e59a56_i a4cea15bd0aeff20_r*, public key reauthentication in 2 hours<br>
> ios[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br>
> ios{2}: INSTALLED, TUNNEL, ESP SPIs: c5177fea_i 070a1d6b_o<br>
> ios{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes<br>
</div>> ios{2}: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> === <a href="http://10.0.0.2/32" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>><br>
<div class="im">><br>
><br>
> Some more info:<br>
><br>
><br>
> iptables -L -t nat<br>
> Chain PREROUTING (policy ACCEPT)<br>
> target prot opt source destination<br>
> ACCEPT tcp -- anywhere anywhere tcp dpt:1194<br>
> VSERVER all -- anywhere cpe-86-<removed><br>
><br>
> Chain POSTROUTING (policy ACCEPT)<br>
> target prot opt source destination<br>
</div>> MASQUERADE all -- <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> anywhere<br>
<div class="im">> MASQUERADE all -- !cpe-86-<removed> anywhere<br>
> MASQUERADE all -- anywhere anywhere MARK match 0xd001<br>
><br>
> Chain OUTPUT (policy ACCEPT)<br>
> target prot opt source destination<br>
><br>
> Chain LOCALSRV (0 references)<br>
> target prot opt source destination<br>
><br>
> Chain VSERVER (1 references)<br>
> target prot opt source destination<br>
</div>> DNAT tcp -- anywhere anywhere tcp dpt:1184 to:<a href="http://192.168.2.100:1194" target="_blank">192.168.2.100:1194</a> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>><br>
> DNAT udp -- anywhere anywhere udp dpt:1184 to:<a href="http://192.168.2.100:1194" target="_blank">192.168.2.100:1194</a> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>><br>
<div class="im">> VUPNP all -- anywhere anywhere<br>
><br>
> Chain VUPNP (1 references)<br>
> target prot opt source destination<br>
><br>
> Chain YADNS (0 references)<br>
> target prot opt source destination<br>
><br>
><br>
><br>
> netstat -r<br>
> Kernel IP routing table<br>
> Destination Gateway Genmask Flags MSS Window irtt Iface<br>
> 10.8.0.5 * 255.255.255.255 UH 0 0 0 tun11<br>
> 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun11<br>
> 10.8.2.2 * 255.255.255.255 UH 0 0 0 tun21<br>
> 86.58.119.1 * 255.255.255.255 UH 0 0 0 eth0<br>
> 86.58.119.0 * 255.255.255.0 U 0 0 0 eth0<br>
> 10.8.2.0 10.8.2.2 255.255.255.0 UG 0 0 0 tun21<br>
> 192.168.2.0 * 255.255.255.0 U 0 0 0 br0<br>
> 192.168.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun11<br>
> 127.0.0.0 * 255.0.0.0 U 0 0 0 lo<br>
> default <removed> 0.0.0.0 UG 0 0 0 eth0<br>
><br>
><br>
> (ignore that tunnel to 192.168.1.0)<br>
><br>
> What should I do to make that tunnel work ?<br>
><br>
> Regards.<br>
><br>
> Luka<br>
><br>
><br>
><br>
><br>
><br>
><br>
</div>> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBAgAGBQJSezuWAAoJEDg5KY9j7GZYIlQP/jOYYLtuYAemzYH0pyzZimbo<br>
No3Td9nhGbpi2QPBm6W7cBa3qo/xikaH80RRjG07raDVKJdxhQKjf/hYNG3daF3C<br>
HTBZuaMBU8afwumQpknLprhapec+FZ5uNc4KE1OL4CObTQlv/ZBcFBvwIitGfJKX<br>
tHcR54FEC8ElrzRrqjLItx+1oEr47AFa8yj1/AJV3c8T08vgqAJbOoTpThuJweF7<br>
8pbJcnDUwf3c4Xm+GKKI5lK3H5B4MF6ybhTn4EWNKy7IEe9tn3M0PuWTabyQ5W0h<br>
StiAVWS1U0GVT22eGTLIAAJ6izm6XH4KC5vvlZlS3y0wdyYrrupiNwgegFVd2gMS<br>
Om3WeG5KVEHpl9WqUO5cBKBHFQlrvL5pxcRP0rTmncGBNUKYNc28HiTpQZQZne/1<br>
BLcIdCChJZCKn6ncVLibhYdFSxag0KKiAmlD26rzGR2V7AYzbr0zRBvTGhbvI8du<br>
0S1xfIpXv56tGt3DBxD1s4/VGbhSpFlOEkqDQqzMPtAeUjNjjK/PeX2qSs0kJYGU<br>
LDpkI815MQFtnIdQ7Wy79UzmnK2Q/2Bpy5+ckOZPzbkRuSizYYcKhgD2Kmdd4EWp<br>
rneKSob9OgtE7Q8cAtauJgJRLBrDHVuvg0Zc5d2sVc0dkxFwzcs7dtWJQnD5qDU4<br>
x1mkt92ogJMXnEy7D6eo<br>
=TCnj<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br></div>