<div dir="ltr">Ok I've switched back to following configuration and I can connect to VPN again (back to beginning, can connect but can't access LAN behind VPN):<div><br><div><p style="margin:0px;font-size:11px;font-family:Menlo">
conn %default </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> keyexchange=ikev1 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> authby=xauthrsasig </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> xauth=server </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">conn ios </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> left=86.xx.xx.x35 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> leftcert=serverLupoCert.pem </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> leftsubnet=<a href="http://192.168.2.0/24">192.168.2.0/24</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> leftfirewall=yes </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> right=%any </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> rightsourceip=10.3.0.1 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> auto=add </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> rightcert=clientLupoCert.pem</p><div><br></div><div>Do I have to put server's WAN Ip address for "left" or local IP ? <br></div></div><div><br></div>
<div>Configuration is simmilar to this one:<a href="http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html">http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html</a>.<br></div>
<div>I've checked <a href="http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables">iptables -L command on that site</a> and compared it with mine.</div><div>It looks like mine is missing some forwarding rules.</div>
<div>Mine:</div><div><p style="margin:0px;font-size:11px;font-family:Menlo">iptables -L -v -n --line-numbers</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">1 236 31088 ACCEPT esp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2 0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:4500 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">3 196 68288 ACCEPT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:500 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">4 0 0 ACCEPT all -- tun21 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">5 1138 105K ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:1194 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">6 0 0 ACCEPT all -- tun11 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain FORWARD (policy DROP 0 packets, 0 bytes)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">1 0 0 ACCEPT esp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2 0 0 ACCEPT all -- tun21 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">3 5 344 ACCEPT all -- tun11 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">4 22028 1928K ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state RELATED,ESTABLISHED </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">5 0 0 logdrop all -- !br0 eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">6 28 1432 logdrop all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state INVALID </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">7 0 0 ACCEPT all -- br0 br0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">8 1344 80640 ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate DNAT </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">9 32811 2190K ACCEPT all -- br0 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">1 0 0 ACCEPT esp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain FUPNP (0 references)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain PControls (0 references)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">1 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain logaccept (0 references)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">1 0 0 LOG all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state NEW LOG flags 7 level 4 prefix `ACCEPT ' </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain logdrop (2 references)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">1 0 0 LOG all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state NEW LOG flags 7 level 4 prefix `DROP' </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2 28 1432 DROP all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p><p style="margin:0px;font-size:11px;font-family:Menlo">
<br></p><p style="margin:0px;font-size:11px;font-family:Menlo">If I understand "leftfirewall=yes" command, it should put those rules into iptables.</p><p style="margin:0px;font-size:11px;font-family:Menlo">I've checked charon log file and found this error:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">cat strongswancharon.log | grep iptables</p><p style="margin:0px;font-size:11px;font-family:Menlo">Nov 7 22:59:06 11[CFG] leftupdown=ipsec _updown iptables</p><p style="margin:0px;font-size:11px;font-family:Menlo">
Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name</p><p style="margin:0px;font-size:11px;font-family:Menlo">
</p><p style="margin:0px;font-size:11px;font-family:Menlo">Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name</p><p style="margin:0px;font-size:11px;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">
Am I missing some modules here or something ? </p><p style="margin:0px;font-size:11px;font-family:Menlo">How can I get/log those commands for iptables, that strongswan executes ? </p></div><div><br></div><div>Thanks.</div>
<div><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Luka,<br>
<br>
Your former configuration worked just fine. The problem was with the network or similiar. It had nothing to do with strongSwan.<br>
<br>
Regards<br>
Noel Kuntze<br>
<div><div class="h5"><br>
On 07.11.2013 10:51, Luka wrote:<br>
> Now I've tried to load modules by hand. I've added following line to strongswan.conf:<br>
> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve attr farp xauth-generic<br>
><br>
> And if I check charon logs, it looks like it connects and then immediately disconnects from vpn.<br>
> Here are interesting lines from log file, (I connect with iphone and get "Negotiation with the VPN server failed":<br>
><br>
> ...<br>
> Nov 7 10:31:12 14[CFG] id '<server.wan.ip>' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'<br>
> ...<br>
> Nov 7 10:31:12 14[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'<br>
> ...<br>
> Nov 7 10:31:12 14[CFG] left is other host, swapping ends<br>
> ...<br>
> Nov 7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING<br>
> ...<br>
> Nov 7 10:13:56 05[IKE] remote host is behind NAT<br>
> ...<br>
> Nov 7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful<br>
> ...<br>
> Nov 7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING => ESTABLISHED<br>
> ...<br>
> Nov 7 10:13:57 12[IKE] peer requested virtual IP %any<br>
> Nov 7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'<br>
> ...<br>
> Nov 7 10:14:13 05[ENC] parsing HASH_V1 payload finished<br>
> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left<br>
> ...<br>
> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload finished<br>
> ...<br>
> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED => DELETING<br>
> Nov 7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]<br>
> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING => DESTROYING<br>
> Nov 7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful<br>
> Nov 7 10:14:13 02[NET] waiting for data on sockets<br>
> Nov 7 10:14:25 15[JOB] got event, queuing job for execution<br>
> Nov 7 10:14:25 15[JOB] next event in 9732s 760ms, waiting<br>
> Nov 7 10:14:25 06[MGR] checkout IKE_SA<br>
><br>
> Should I put something else instead of "right=%any" ?<br>
<br>
</div></div><div class="im">-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
</div>iQIcBAEBCAAGBQJSe8zvAAoJEDg5KY9j7GZYuUgP/35loiPabv+RrIttHVaBHcru<br>
D7NYUqXKRNeaYnZj+qwsOIorjyoT9xjxg/ZlQCfJSaQKzuFhT3an2IUXeR+57U91<br>
WSlOfUJph2krkfqhAsrpT2fpD1z21t2vwLMRtOfwDJ5SbI5JInjNkXIur5rRvav1<br>
Tnxu4XzZ0wVaUnsabS0jfLYcHNfRcn9viRd5vMwtD0iJ+wO7Q5d/r8zY9pe7yvnk<br>
bGmkcZ5QHHVrCubqCL7qNABYmcrDsZJJoG3RNh/6rqtHWuVawOi5n4o3wP6VKlu5<br>
pHF2LyMz0ZASiveYjNvE24H7FN1CbepJO/hAKSPloNKUKObN4qvCf5Jwj315zZhp<br>
+4iQdbqbXN6gAMA309Hv4HVXnhxPffxi3vf8R+2GsciDfLIuP6eS7XtWv8wyYnFF<br>
+/oAtCuxw6aMI6r6KiTY5kVoeVziNsMDps5qDXet4VAOLPxKdtTbdpBza0YqIC61<br>
1qbPPLF5E7AElLqV36Sm9s3nuQfATGUJMM5GRXVtnivDpIooqbRw6V6baXKduCkD<br>
6pdIMIkI7TaBvdbYlyK/7h6Vxv6t1WGQESNt93WfveJUmO5/+37pEfDRwUg9EEAj<br>
dwv5/sO39usNPzVKOLfZH1h6DN9NJCbqdu00r/FiJ83U55WYKehkDhJRp6ep/rt5<br>
O/aMJnVocQlTSEklzGfY<br>
=kajC<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div>