<div dir="ltr">Hi.<div>I've found way to fix that error: "<span style="font-family:Helvetica;font-size:12px">iptables: No chain/target/match by that name" by executing command:</span></div><div><p style="margin:0px;font-size:12px;font-family:Helvetica">
insmod xt_policy</p><p style="margin:0px;font-size:12px;font-family:Helvetica"><br></p><p style="margin:0px;font-size:12px;font-family:Helvetica">Now when I connect, iPhone gets IP 10.0.0.2 and following policy is added to FORWARD chain:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Chain FORWARD (policy DROP 0 packets, 0 bytes)</p><p style="margin:0px;font-size:11px;font-family:Menlo">num pkts bytes target prot opt in out source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">1 0 0 ACCEPT all -- eth0 * 10.0.0.2 <a href="http://0.0.0.0/0">0.0.0.0/0</a> policy match dir in pol ipsec reqid 1 proto 50 </p>
<p style="margin:0px;font-size:12px;font-family:Helvetica">
</p><p style="margin:0px;font-size:11px;font-family:Menlo">2 0 0 ACCEPT all -- * eth0 <a href="http://0.0.0.0/0">0.0.0.0/0</a> 10.0.0.2 policy match dir out pol ipsec reqid 1 proto 50 </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">I'm using config:</p><p style="margin:0px;font-size:11px;font-family:Menlo">conn %default </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> keyexchange=ikev1 <br></p><p style="margin:0px;font-size:11px;font-family:Menlo">
authby=xauthrsasig </p><p style="margin:0px;font-size:11px;font-family:Menlo"> xauth=server </p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"> </p><p style="margin:0px;font-size:11px;font-family:Menlo">
#leftid = subject alt. name (v certifikatu) </p><p style="margin:0px;font-size:11px;font-family:Menlo">conn ios </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> left=%defaultroute </p><p style="margin:0px;font-size:11px;font-family:Menlo">
leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a> </p><p style="margin:0px;font-size:11px;font-family:Menlo"> leftcert=serverCert.pem </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> leftfirewall=yes </p><p style="margin:0px;font-size:11px;font-family:Menlo">
right=%any </p><p style="margin:0px;font-size:11px;font-family:Menlo"> rightsubnet=<a href="http://10.0.0.0/24">10.0.0.0/24</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> rightsourceip=10.0.0.2 </p><p style="margin:0px;font-size:11px;font-family:Menlo">
auto=add </p><p style="margin:0px;font-size:11px;font-family:Menlo">
</p><p style="margin:0px;font-size:11px;font-family:Menlo"> rightcert=clientCert.pem </p><p style="margin:0px;font-size:11px;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo"><span style="font-family:arial;font-size:small">But I still can't access my LAN (<a href="http://192.168.2.0/24">192.168.2.0/24</a>) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2. </span><br>
</p><p style="margin:0px;font-size:11px;font-family:Menlo"><span style="font-family:arial;font-size:small">I've no idea what else should I try. I give up.</span></p><p style="margin:0px;font-size:11px;font-family:Menlo">
<span style="font-family:arial;font-size:small"><br></span></p><p style="margin:0px;font-size:11px;font-family:Menlo"><span style="font-family:arial;font-size:small">L</span></p><p style="margin:0px;font-size:11px;font-family:Menlo">
<br></p></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Nov 7, 2013 at 11:05 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Luka,<br>
<br>
</div>I actually meant the config which you created after I sent you that link [1].<br>
I don't know exactly why there are retransmits happening, but in general, the setup should work.<br>
<br>
[1] <a href="http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a><br>
<br>
Regards<br>
Noel Kuntze<br>
<div class="im"><br>
On 07.11.2013 23:03, Luka wrote:<br>
> Ok I've switched back to following configuration and I can connect to VPN again (back to beginning, can connect but can't access LAN behind VPN):<br>
><br>
> conn %default<br>
><br>
> keyexchange=ikev1<br>
><br>
> authby=xauthrsasig<br>
><br>
> xauth=server<br>
><br>
><br>
><br>
> conn ios<br>
><br>
> left=86.xx.xx.x35<br>
><br>
> leftcert=serverLupoCert.pem<br>
><br>
</div>> leftsubnet=<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>><br>
<div class="im">><br>
> leftfirewall=yes<br>
><br>
> right=%any<br>
><br>
> rightsourceip=10.3.0.1<br>
><br>
> auto=add<br>
><br>
> rightcert=clientLupoCert.pem<br>
><br>
><br>
> Do I have to put server's WAN Ip address for "left" or local IP ?<br>
><br>
> Configuration is simmilar to this one:<a href="http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html" target="_blank">http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html</a>.<br>
</div>> I've checked iptables -L command on that site <<a href="http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables" target="_blank">http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables</a>> and compared it with mine.<br>
<div class="im">> It looks like mine is missing some forwarding rules.<br>
> Mine:<br>
><br>
> iptables -L -v -n --line-numbers<br>
><br>
> Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> 1 236 31088 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> 2 0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> udp dpt:4500<br>
><br>
> 3 196 68288 ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> udp dpt:500<br>
><br>
> 4 0 0 ACCEPT all -- tun21 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> 5 1138 105K ACCEPT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> tcp dpt:1194<br>
><br>
> 6 0 0 ACCEPT all -- tun11 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> 1 0 0 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> 2 0 0 ACCEPT all -- tun21 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> 3 5 344 ACCEPT all -- tun11 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> 4 22028 1928K ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state RELATED,ESTABLISHED<br>
><br>
> 5 0 0 logdrop all -- !br0 eth0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> 6 28 1432 logdrop all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state INVALID<br>
><br>
> 7 0 0 ACCEPT all -- br0 br0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> 8 1344 80640 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> ctstate DNAT<br>
><br>
> 9 32811 2190K ACCEPT all -- br0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> 1 0 0 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> Chain FUPNP (0 references)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
><br>
> Chain PControls (0 references)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> 1 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> Chain logaccept (0 references)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> 1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state NEW LOG flags 7 level 4 prefix `ACCEPT '<br>
><br>
> 2 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> Chain logdrop (2 references)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> 1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state NEW LOG flags 7 level 4 prefix `DROP'<br>
><br>
> 2 28 1432 DROP all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> If I understand "leftfirewall=yes" command, it should put those rules into iptables.<br>
><br>
> I've checked charon log file and found this error:<br>
><br>
> cat strongswancharon.log | grep iptables<br>
><br>
> Nov 7 22:59:06 11[CFG] leftupdown=ipsec _updown iptables<br>
><br>
> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name<br>
><br>
> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name<br>
><br>
><br>
> Am I missing some modules here or something ?<br>
><br>
> How can I get/log those commands for iptables, that strongswan executes ?<br>
><br>
><br>
> Thanks.<br>
><br>
><br>
><br>
</div><div><div class="h5">> On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> wrote:<br>
><br>
><br>
> Hello Luka,<br>
><br>
> Your former configuration worked just fine. The problem was with the network or similiar. It had nothing to do with strongSwan.<br>
><br>
> Regards<br>
> Noel Kuntze<br>
><br>
> On 07.11.2013 10:51, Luka wrote:<br>
> > Now I've tried to load modules by hand. I've added following line to strongswan.conf:<br>
> > load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve attr farp xauth-generic<br>
><br>
> > And if I check charon logs, it looks like it connects and then immediately disconnects from vpn.<br>
> > Here are interesting lines from log file, (I connect with iphone and get "Negotiation with the VPN server failed":<br>
><br>
> > ...<br>
> > Nov 7 10:31:12 14[CFG] id '<server.wan.ip>' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'<br>
> > ...<br>
> > Nov 7 10:31:12 14[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'<br>
> > ...<br>
> > Nov 7 10:31:12 14[CFG] left is other host, swapping ends<br>
> > ...<br>
> > Nov 7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING<br>
> > ...<br>
> > Nov 7 10:13:56 05[IKE] remote host is behind NAT<br>
> > ...<br>
> > Nov 7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful<br>
> > ...<br>
> > Nov 7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING => ESTABLISHED<br>
> > ...<br>
> > Nov 7 10:13:57 12[IKE] peer requested virtual IP %any<br>
> > Nov 7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'<br>
> > ...<br>
> > Nov 7 10:14:13 05[ENC] parsing HASH_V1 payload finished<br>
> > Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left<br>
> > ...<br>
> > Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload finished<br>
> > ...<br>
> > Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED => DELETING<br>
> > Nov 7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]<br>
> > Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING => DESTROYING<br>
> > Nov 7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful<br>
> > Nov 7 10:14:13 02[NET] waiting for data on sockets<br>
> > Nov 7 10:14:25 15[JOB] got event, queuing job for execution<br>
> > Nov 7 10:14:25 15[JOB] next event in 9732s 760ms, waiting<br>
> > Nov 7 10:14:25 06[MGR] checkout IKE_SA<br>
><br>
> > Should I put something else instead of "right=%any" ?<br>
><br>
><br>
><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
</div></div>iQIcBAEBCAAGBQJSfA6sAAoJEDg5KY9j7GZYXYcP/3N3BE9NGpsXoQLz36Ccnz8L<br>
iYsYXnBTWkl1QCGtkCPJ9fE9Iqexo6MEV0qq5M3AKDCdS8XleUhDeezfzaDQzFzR<br>
WGXP/6vGfnL7u1ZhbwWFerifLzPjchZtAL1VMaJK3ccnNXGeN08jrxgwsugYLG0Z<br>
q9IOmn3hqrz9KfqmVwnNrBKBHYaJHMa2hnsBaMbSHteMER54uIT8XpgSMlVfmG/H<br>
H29wwQAQatiK7DJPPC5u9nI2OsjlxkO4mFBIVEJHZyUM26PL3EBeGIF3WaL9OtTt<br>
VWhM8qsqoCM5Kj9jiy40eQkclIZveotf3ceE2yA0ihAcOEMJD9REQS+xNsjEXbiR<br>
Qk+XXijaI4VdPRc/jsFL6S9RV9w3Y0q4034RrDR49tFKCgppbVQmDPjpGMjA81n7<br>
JBt5XYVayWeAOloUn+YN/K94AjC4zMZzS8wpE9WJ61s29L3/3e/kyb36F964INs9<br>
3cM8BMW5JztP6InWLH4Avk8/6L1jMqK9ZpmvAkqv6+o2vQEG7cC6iG0VJHqo6GfI<br>
lk42shMAh68gbOcxRzz6nLDg+hltzYl2zIZm47IVFRsnejQ+7hEcHpQbpkWO574L<br>
DZ3AxzepnFAPH15Dy5O+e+bg+4opmVmWdb9vih+xwArhLZr5n1MCR18Ng8Y+ceDc<br>
9M3phOawnRyw6o1BWMem<br>
=C58j<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div>