<div dir="ltr"><div><div><div><div>Hi.<br>
I've successfully installed StrongSwan 5.0.4 IPsec server on my Asus
RT-AC66U Firmware:3.0.0.4.374.34_2 (Merlin build), followed tutorial on:<br><a href="http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)">http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)</a><br>
</div><div>I'm trying to achieve this(diagram):<br><a href="https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png">https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png</a><br>
</div><div><br>
I can connect to vpn server with my iPhone, using Cisco IPsec, but problem is that<b> I can't access any of my home LAN IPs</b>.<br>Here is strongswan log file(removed IPs):<br><a href="https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswancharon.log">https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswancharon.log</a><br>
<br>
Router firewall is temporary disabled.<br>
I probably need to add some iptables routes or something ?<br>
<br>
Can someone tell me what should I put for left/right subnet and left/right ip ? <br>
Here is my config:<br>Ipsec.conf file:<br><pre class="" dir="ltr" style="margin:0px;padding:6px;border:1px inset;width:640px;height:306px;text-align:left;overflow:auto">conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
#left=%any
leftfirewall=yes
leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a>
#leftsubnet=<a href="http://192.168.2.0/24">192.168.2.0/24</a>
leftcert=server.pem
right=%any
rightsubnet=<a href="http://10.0.0.0/24">10.0.0.0/24</a>
#rightsubnet=<a href="http://192.168.2.0/24">192.168.2.0/24</a>
rightsourceip=10.0.0.2
#rightsourceip=%dhcp
rightcert=client.pem
#forceencaps=yes
auto=add</pre><br></div>strongswan.conf file:<br><pre class="" dir="ltr" style="margin:0px;padding:6px;border:1px inset;width:640px;height:242px;text-align:left;overflow:auto">charon {
# number of worker threads in charon
threads = 16
dns1 = 192.168.2.1
plugins {
dhcp {
server = 192.168.2.1
}
}
}</pre><br><br>ipsec statusall command:<br><br><pre class="" dir="ltr" style="margin:0px;padding:6px;border:1px inset;width:640px;height:482px;text-align:left;overflow:auto">ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
uptime: 27 minutes, since Nov 06 22:32:15 2013
malloc: sbrk 225280, mmap 0, used 201584, free 23696
worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Virtual IP pools (size/online/offline):
<a href="http://10.0.0.2">10.0.0.2</a>: 1/1/0
Listening IP addresses:
<wan.ip.removed>
192.168.2.1
10.8.2.1
10.8.0.6
Connections:
ios: %any...%any IKEv1
ios: local: [C=CA,... <removed>] uses public key authentication
ios: cert: "C=CA,... <removed>"
ios: remote: [C=CA, ... <removed>] uses public key authentication
ios: cert: "C=CA,... <removed>"
ios: remote: uses XAuth authentication: any
ios: child: <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://10.0.0.0/24">10.0.0.0/24</a> TUNNEL
Security Associations (1 up, 0 connecting):
ios[4]: ESTABLISHED 23 seconds ago, <wan.ip.removed>[C=CA,... <removed>]...<iphone.wan.ip.removed>[C=CA,... <removed>]
ios[4]: Remote XAuth identity: <removed>
ios[4]: IKEv1 SPIs: 884d6e82b7e59a56_i a4cea15bd0aeff20_r*, public key reauthentication in 2 hours
ios[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
ios{2}: INSTALLED, TUNNEL, ESP SPIs: c5177fea_i 070a1d6b_o
ios{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes
ios{2}: <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://10.0.0.2/32">10.0.0.2/32</a><br><br></pre><br>Some more info:<br><pre class="" dir="ltr" style="margin:0px;padding:6px;border:1px inset;width:640px;height:482px;text-align:left;overflow:auto">
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1194
VSERVER all -- anywhere cpe-86-<removed>
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- <a href="http://192.168.2.0/24">192.168.2.0/24</a> anywhere
MASQUERADE all -- !cpe-86-<removed> anywhere
MASQUERADE all -- anywhere anywhere MARK match 0xd001
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOCALSRV (0 references)
target prot opt source destination
Chain VSERVER (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:1184 to:<a href="http://192.168.2.100:1194">192.168.2.100:1194</a>
DNAT udp -- anywhere anywhere udp dpt:1184 to:<a href="http://192.168.2.100:1194">192.168.2.100:1194</a>
VUPNP all -- anywhere anywhere
Chain VUPNP (1 references)
target prot opt source destination
Chain YADNS (0 references)
target prot opt source destination</pre><br><br><pre class="" dir="ltr" style="margin:0px;padding:6px;border:1px inset;width:640px;height:226px;text-align:left;overflow:auto">netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.5 * 255.255.255.255 UH 0 0 0 tun11
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun11
10.8.2.2 * 255.255.255.255 UH 0 0 0 tun21
86.58.119.1 * 255.255.255.255 UH 0 0 0 eth0
86.58.119.0 * 255.255.255.0 U 0 0 0 eth0
10.8.2.0 10.8.2.2 255.255.255.0 UG 0 0 0 tun21
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
192.168.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun11
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default <removed> 0.0.0.0 UG 0 0 0 eth0</pre><br>(ignore that tunnel to 192.168.1.0)<br>
<br>
What should I do to make that tunnel work ? <br></div><br></div>Regards.<br><br></div>Luka<br><div><div><div><br><br><br><br></div></div></div></div>