<div dir="ltr"><p style="margin:0px;font-size:12px;font-family:Helvetica">Hi Noel.</p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">Still no luck.</p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">I’ve added masquerade, following line is added to nat iptable:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">…</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">4 0 0 MASQUERADE all -- * eth0 <a href="http://10.0.0.0/24">10.0.0.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a></p>
<p style="margin:0px;font-size:12px;font-family:Helvetica;min-height:14px"><br></p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">What exactly does this masquerade record means ? Probably that all packets from <a href="http://10.0.0.0/24">10.0.0.0/24</a> network that have any(0.0.0.0) destination will get IP address of eth0 device ? </p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">But eth0 is device with external IP of server (86.58.x.x) (see ifconfig output below), should I use <span style="font-size:11px;font-family:Menlo">br0 device here (the one with local IP of router) ? </span></p>
<p style="margin:0px;font-size:12px;font-family:Helvetica;min-height:14px"><br></p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">Ok, if I sum up my situation:</p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">CLIENT(iPhone):</p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">- I can connect to IPsec(strongswan)</p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">- gets virtual IP Address: 10.0.0.2 </p>
<p style="margin:0px;font-size:12px;font-family:Helvetica;min-height:14px"><br></p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">SERVER (strongswan v<span style="font-size:11px;font-family:Menlo"> 5.0.4, </span>on my router, <span style="font-size:11px;font-family:Menlo"> Linux 2.6.22.19</span>):</p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">- local IP: 192.168.2.1</p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">- external IP 86.58.x.x</p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">ipsec statusall:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Virtual IP pools (size/online/offline):</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> <a href="http://10.0.0.2">10.0.0.2</a>: 1/1/0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Listening IP addresses:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> 86.58.x.x</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> 192.168.2.1</p>
<p style="margin:0px;font-size:12px;font-family:Helvetica;min-height:14px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Security Associations (1 up, 0 connecting):</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> ios[2]: ESTABLISHED 19 seconds ago, 86.58.x.x[C=SI, O=Lupo, CN=86.58.x.x]…46.123.x.x[C=SI, O=Lupo, CN=clientLupo]</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> ios[2]: Remote XAuth identity: lupo</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> ios[2]: IKEv1 SPIs: cd789eae5d666586_i 638f1ca174f85726_r*, public key reauthentication in 2 hours</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> ios[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> ios{1}: INSTALLED, TUNNEL, ESP SPIs: c7f2d740_i 0829cc4a_o</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> ios{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> ios{1}: <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://10.0.0.2/32">10.0.0.2/32</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">iptables:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">This entries are added to FORWARD chain after I connect to server:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain FORWARD (policy DROP 0 packets, 0 bytes)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">1 0 0 ACCEPT all -- eth0 * 10.0.0.2 <a href="http://0.0.0.0/0">0.0.0.0/0</a> policy match dir in pol ipsec reqid 2 proto 50 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2 0 0 ACCEPT all -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> 10.0.0.2 policy match dir out pol ipsec reqid 2 proto 50 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">iptables(nat table):</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain PREROUTING (policy ACCEPT 4188 packets, 599K bytes)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">1 1 60 ACCEPT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:1194 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2 305 54089 VSERVER all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> 86.58.x.x </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">1 0 0 MASQUERADE all -- * tun11 <a href="http://192.168.2.0/24">192.168.2.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2 731 46984 MASQUERADE all -- * eth0 !86.58.x.x <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">3 0 0 MASQUERADE all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> MARK match 0xd001 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">4 0 0 MASQUERADE all -- * eth0 <a href="http://10.0.0.0/24">10.0.0.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain OUTPUT (policy ACCEPT 2489 packets, 220K bytes)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain LOCALSRV (0 references)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain VSERVER (1 references)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">1 1 123 DNAT tcp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:1184 to:<a href="http://192.168.2.100:1194">192.168.2.100:1194</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">2 0 0 DNAT udp -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:1184 to:<a href="http://192.168.2.100:1194">192.168.2.100:1194</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">3 304 53966 VUPNP all -- * * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain VUPNP (1 references)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain YADNS (0 references)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">ifconfig:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">br0 Link encap:Ethernet HWaddr 30:85:A9:E6:EF:A0 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> RX packets:20577 errors:0 dropped:0 overruns:0 frame:0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> TX packets:16212 errors:0 dropped:0 overruns:0 carrier:0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> collisions:0 txqueuelen:0 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> RX bytes:7597057 (7.2 MiB) TX bytes:2892960 (2.7 MiB)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">eth0 Link encap:Ethernet HWaddr 30:85:A9:E6:EF:A0 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> inet addr:86.58.x.x Bcast:86.58.y.y Mask:255.255.255.0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> RX packets:665392 errors:0 dropped:0 overruns:0 frame:0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> TX packets:1473423 errors:0 dropped:0 overruns:0 carrier:0</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> collisions:0 txqueuelen:1000 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> RX bytes:83612848 (79.7 MiB) TX bytes:1996770618 (1.8 GiB)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> Interrupt:4 Base address:0x2000 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px">...</p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px">btw, should tunnel, that is created by strongswan, appear in this ifconfig list ? </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">I’m probably missing another piece of puzzle.</p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">Is there any other log file except strongswan log, that should I examine ? </p><p style="margin:0px;font-size:12px;font-family:Helvetica"><br></p><p style="margin:0px;font-size:12px;font-family:Helvetica">
Thanks</p><p style="margin:0px;font-size:12px;font-family:Helvetica">Luka</p></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Nov 10, 2013 at 3:38 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
</div>Sorry, it is "iptables -A POSTROUTING -t nat -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> -o eth0 -j MASQUERADE"<br>
<div><div class="h5">On 10.11.2013 15:05, Noel Kuntze wrote:<br>
><br>
> Hello Luka,<br>
><br>
> You need to masquerade the traffic from your iPhone to the LAN or the internet.<br>
> You do this with either the MASQUERADE or the SNAT target in iptables.<br>
> Example: iptables -A FORWARD -t nat -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> -o eth0 -j MASQUERADE<br>
><br>
> Regards<br>
> Noel Kuntze<br>
><br>
> On 10.11.2013 11:50, Luka wrote:<br>
> > Hi.<br>
> > I've found way to fix that error: "iptables: No chain/target/match by that name" by executing command:<br>
><br>
> > insmod xt_policy<br>
><br>
><br>
> > Now when I connect, iPhone gets IP 10.0.0.2 and following policy is added to FORWARD chain:<br>
><br>
> > Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
><br>
> > num pkts bytes target prot opt in out source destination<br>
><br>
> > 1 0 0 ACCEPT all -- eth0 * 10.0.0.2 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> policy match dir in pol ipsec reqid 1 proto 50<br>
><br>
> > 2 0 0 ACCEPT all -- * eth0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> 10.0.0.2 policy match dir out pol ipsec reqid 1 proto 50<br>
><br>
><br>
> > I'm using config:<br>
><br>
> > conn %default<br>
><br>
> > keyexchange=ikev1 Read the manpage for it<br>
><br>
> > authby=xauthrsasig<br>
><br>
> > xauth=server<br>
><br>
><br>
><br>
> > #leftid = subject alt. name (v certifikatu)<br>
><br>
> > conn ios<br>
><br>
> > left=%defaultroute<br>
><br>
> > leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > leftcert=serverCert.pem<br>
><br>
> > leftfirewall=yes<br>
><br>
> But I still can't access my LAN (<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a>) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.<br>
><br>
> I've no idea what else should I try. I give up.<br>
><br>
> > right=%any<br>
><br>
> > rightsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><br>
><br>
> > rightsourceip=10.0.0.2<br>
><br>
> > auto=add<br>
><br>
> > rightcert=clientCert.pem<br>
><br>
><br>
><br>
> > But I still can't access my LAN (<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>>) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.<br>
><br>
> > I've no idea what else should I try. I give up.<br>
><br>
><br>
> > L<br>
><br>
><br>
><br>
><br>
> > On Thu, Nov 7, 2013 at 11:05 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> wrote:<br>
><br>
><br>
> > Hello Luka,<br>
><br>
> > I actually meant the config which you created after I sent you that link [1].<br>
> > I don't know exactly why there are retransmits happening, but in general, the setup should work.<br>
><br>
> > [1] <a href="http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a><br>
><br>
> > Regards<br>
> > Noel Kuntze<br>
><br>
> > On 07.11.2013 23:03, Luka wrote:<br>
> >> Ok I've switched back to following configuration and I can connect to VPN again (back to beginning, can connect but can't access LAN behind VPN):<br>
><br>
> >> conn %default<br>
><br>
> >> keyexchange=ikev1<br>
><br>
> >> authby=xauthrsasig<br>
><br>
> >> xauth=server<br>
><br>
><br>
><br>
> >> conn ios<br>
><br>
> >> left=86.xx.xx.x35<br>
><br>
> >> leftcert=serverLupoCert.pem<br>
><br>
> >> leftsubnet=<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>><br>
><br>
> >> leftfirewall=yes<br>
><br>
> >> right=%any<br>
><br>
> >> rightsourceip=10.3.0.1<br>
><br>
> >> auto=add<br>
><br>
> >> rightcert=clientLupoCert.pem<br>
><br>
><br>
> >> Do I have to put server's WAN Ip address for "left" or local IP ?<br>
><br>
> >> Configuration is simmilar to this one:<a href="http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html" target="_blank">http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html</a>.<br>
> >> I've checked iptables -L command on that site <<a href="http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables" target="_blank">http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables</a>> and compared it with mine.<br>
> >> It looks like mine is missing some forwarding rules.<br>
> >> Mine:<br>
><br>
> >> iptables -L -v -n --line-numbers<br>
><br>
> >> Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)<a href="http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a><br>
><br>
> >> num pkts bytes target prot opt in out source destination<br>
><br>
> >> 1 236 31088 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> >> 2 0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> udp dpt:4500<br>
><br>
> >> 3 196 68288 ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> udp dpt:500<br>
><br>
> >> 4 0 0 ACCEPT all -- tun21 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> >> 5 1138 105K ACCEPT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> tcp dpt:1194<br>
><br>
> >> 6 0 0 ACCEPT all -- tun11 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
><br>
> >> Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
><br>
> >> num pkts bytes target prot opt in out source destination<br>
><br>
> >> 1 0 0 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> >> 2 0 0 ACCEPT all -- tun21 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> >> 3 5 344 ACCEPT all -- tun11 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> >> 4 22028 1928K ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state RELATED,ESTABLISHED<br>
><br>
> >> 5 0 0 logdrop all -- !br0 eth0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> >> 6 28 1432 logdrop all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state INVALID<br>
><br>
> >> 7 0 0 ACCEPT all -- br0 br0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> >> 8 1344 80640 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> ctstate DNAT<br>
><br>
> >> 9 32811 2190K ACCEPT all -- br0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
><br>
> >> Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)<br>
><br>
> >> num pkts bytes target prot opt in out source destination<br>
><br>
> >> 1 0 0 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
><br>
> >> Chain FUPNP (0 references)<br>
><br>
> >> num pkts bytes target prot opt in out source destination<br>
><br>
><br>
> >> Chain PControls (0 references)<br>
><br>
> >> num pkts bytes target prot opt in out source destination<br>
><br>
> >> 1 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
><br>
> >> Chain logaccept (0 references)<br>
><br>
> >> num pkts bytes target prot opt in out source destination<br>
><br>
> >> 1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state NEW LOG flags 7 level 4 prefix `ACCEPT '<br>
><br>
> >> 2 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
><br>
> >> Chain logdrop (2 references)<br>
><br>
> >> num pkts bytes target prot opt in out source destination<br>
><br>
> >> 1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state NEW LOG flags 7 level 4 prefix `DROP'<br>
><br>
> >> 2 28 1432 DROP all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
><br>
> >> If I understand "leftfirewall=yes" command, it should put those rules into iptables.<br>
><br>
> >> I've checked charon log file and found this error:<br>
><br>
> >> cat strongswancharon.log | grep iptables<br>
><br>
> >> Nov 7 22:59:06 11[CFG] leftupdown=ipsec _updown iptables<br>
><br>
> >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name<br>
><br>
> >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name<br>
><br>
><br>
> >> Am I missing some modules here or something ?<br>
><br>
> >> How can I get/log those commands for iptables, that strongswan executes ?<br>
><br>
><br>
> >> Thanks.<br>
><br>
><br>
><br>
> >> On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> wrote:<br>
><br>
><br>
> >> Hello Luka,<br>
><br>
> >> Your former configuration worked just fine. The problem was with the network or similiar. It had nothing to do with strongSwan.<br>
><br>
> >> Regards<br>
> >> Noel Kuntze<br>
><br>
> >> On 07.11.2013 10:51, Luka wrote:<br>
> >>> Now I've tried to load modules by hand. I've added following line to strongswan.conf:<br>
> >>> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve attr farp xauth-generic<br>
><br>
> >>> And if I check charon logs, it looks like it connects and then immediately disconnects from vpn.<br>
> >>> Here are interesting lines from log file, (I connect with iphone and get "Negotiation with the VPN server failed":<br>
><br>
> >>> ...<br>
> >>> Nov 7 10:31:12 14[CFG] id '<server.wan.ip>' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'<br>
> >>> ...<br>
> >>> Nov 7 10:31:12 14[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'<br>
> >>> ...<br>
> >>> Nov 7 10:31:12 14[CFG] left is other host, swapping ends<br>
> >>> ...<br>
> >>> Nov 7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING<br>
> >>> ...<br>
> >>> Nov 7 10:13:56 05[IKE] remote host is behind NAT<br>
> >>> ...<br>
> >>> Nov 7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful<br>
> >>> ...<br>
> >>> Nov 7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING => ESTABLISHED<br>
> >>> ...<br>
> >>> Nov 7 10:13:57 12[IKE] peer requested virtual IP %any<br>
> >>> Nov 7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'<br>
> >>> ...<br>
> >>> Nov 7 10:14:13 05[ENC] parsing HASH_V1 payload finished<br>
> >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left<br>
> >>> ...<br>
> >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload finished<br>
> >>> ...<br>
> >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED => DELETING<br>
> >>> Nov 7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]<br>
> >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING => DESTROYING<br>
> >>> Nov 7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful<br>
> >>> Nov 7 10:14:13 02[NET] waiting for data on sockets<br>
> >>> Nov 7 10:14:25 15[JOB] got event, queuing job for execution<br>
> >>> Nov 7 10:14:25 15[JOB] next event in 9732s 760ms, waiting<br>
> >>> Nov 7 10:14:25 06[MGR] checkout IKE_SA<br>
><br>
> >>> Should I put something else instead of "right=%any" ?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
</div></div><div class="im">> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
<br>
</div><div class="im">-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
</div>iQIcBAEBCAAGBQJSf5pqAAoJEDg5KY9j7GZYLIAQAIYouCn2zb960AxcUacljuMd<br>
0Tr6cbKgzJ5U8uhTT1cF41+tptdCXI1iDWfs1MuDbFXefKzU8BZU4N7LyeZKAqCB<br>
22bZL+MCKdQeLLiGiCIXGRAKj2ziFwh1Vw6nz10c31S2HWu1WTQkagq5ztMrunjk<br>
lSwzFYbs4lSERUgQLm+9Gb6GXosch37HfeH8OpOdjM1sQPP4jfP4D/RIapYS25MD<br>
EemFMhoHI3lwspExEQR+zpORVSsAnTgbtwfAcFn4+rZ2gbKlusTmTaLVeoZHYbSU<br>
2o4XFG8bGk37P9WjbXPRzxxiLNy9olh8kdarXaUm3rWygECuYnOXWFkdmGzS0NRv<br>
nl54EyZtX7kOe7H/QA14iocu64C9H66AstUZFmj5e0GBxTcbcWFI7v8hMJBetE1S<br>
4XhPIFhZ297laOPI7/31MlQRWJ12G2GLW4U+/jKe6R5oMA3efUJTUtLvvjP05piS<br>
v4Ioj8Q6G8W5Nb9dxFCD8xILK6D/ytRKZBvDZr5XBgDiZG7NmLpBEi7hv7KmfBLg<br>
ilwlI12CnjmSGQeylV7GOeYm+PoF30nK6w3zYUbLrioTT9NA23VykxscrNVt8E0J<br>
1Yg0wD3nhILEEJgrkHRJhsNFK+IwNuIpVc40pgWzvdAlPUrG5es5bqNUOm8+s68W<br>
X3iUSmYbNrx8FZPSjT1m<br>
=AC2W<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div>