<div dir="ltr">Problem solved (thanks Thermi from #strongswan for hints).<div>Read this link:<a href="https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling">https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a></div><div><br><div>I used following config:</div><div><p style="margin:0px;font-size:11px;font-family:Menlo">#ipsec.conf - strongSwan IPsec configuration file</p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">config setup</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> uniqueids=never</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> charondebug="cfg 2, dmn 2, ike 2, net 2, ike 1"</p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">conn ios</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> keyexchange=ikev1</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> authby=xauthrsasig</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> xauth=server</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #LEFT(SERVER)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> left=%defaultroute</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> leftfirewall=yes</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> leftcert=vpnHostCert.pem</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #RIGHT(CLIENT)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> right=%any</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> rightsubnet=<a href="http://10.0.0.0/24">10.0.0.0/24</a></p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> rightsourceip=<a href="http://10.0.0.0/24">10.0.0.0/24</a></p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> ##rightsourceip=10.0.0.2</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #rightsubnet=<a href="http://192.168.2.0/0">192.168.2.0/0</a></p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> rightdns=192.168.2.1</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #rightsourceip=%dhcp</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> rightcert=ClientCert.pem</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #pfs=no</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> dpdaction=clear</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> #dodal naknadno</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> forceencaps=yes</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> auto=add</p></div><div><br></div><div>and added following NAT rules:</div><div><div>iptables -t nat -A POSTROUTING -s <a href="http://10.0.0.1/24">10.0.0.1/24</a> -o eth0 -m policy --dir out --pol ipsec -j ACCEPT</div><div>iptables -t nat -A POSTROUTING -s <a href="http://10.0.0.1/24">10.0.0.1/24</a> -o eth0 -j MASQUERADE</div></div><div><br></div><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Dec 28, 2014 at 7:38 PM, Luka Hlastec <span dir="ltr"><<a href="mailto:luka.hlastec@gmail.com" target="_blank">luka.hlastec@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><p style="margin:0px;font-size:11px;font-family:Menlo">Hi.</p><p style="margin:0px;font-size:11px;font-family:Menlo">I’ve some problems with strongSwan - I can connect to server(strongSwan v5.0.4, IKEv1, using certificates) with my iPhone(iOS8), but I can’t access local network or internet.</p><p style="margin:0px;font-size:11px;font-family:Menlo">I’m using following config file:</p><p style="margin:0px;font-size:11px;font-family:Menlo">###########</p><p style="margin:0px;font-size:11px;font-family:Menlo">#ipsec.conf - strongSwan IPsec configuration file</p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">config setup</p><p style="margin:0px;font-size:11px;font-family:Menlo"> uniqueids=never</p><p style="margin:0px;font-size:11px;font-family:Menlo"> charondebug="cfg 2, dmn 2, ike 2, net 2, ike 1"</p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">conn ios</p><p style="margin:0px;font-size:11px;font-family:Menlo"> keyexchange=ikev1</p><p style="margin:0px;font-size:11px;font-family:Menlo"> authby=xauthrsasig</p><p style="margin:0px;font-size:11px;font-family:Menlo"> xauth=server</p><p style="margin:0px;font-size:11px;font-family:Menlo"> #</p><p style="margin:0px;font-size:11px;font-family:Menlo"> #LEFT(SERVER)</p><p style="margin:0px;font-size:11px;font-family:Menlo"> left=%defaultroute</p><p style="margin:0px;font-size:11px;font-family:Menlo"> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></p><p style="margin:0px;font-size:11px;font-family:Menlo"> leftfirewall=yes</p><p style="margin:0px;font-size:11px;font-family:Menlo"> leftcert=vpnHostCert.pem</p><p style="margin:0px;font-size:11px;font-family:Menlo"> #</p><p style="margin:0px;font-size:11px;font-family:Menlo"> #RIGHT(CLIENT)</p><p style="margin:0px;font-size:11px;font-family:Menlo"> right=%any</p><p style="margin:0px;font-size:11px;font-family:Menlo"> rightsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a></p><p style="margin:0px;font-size:11px;font-family:Menlo"> rightsourceip=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a></p><p style="margin:0px;font-size:11px;font-family:Menlo"> rightcert=ClientCert.pem</p><p style="margin:0px;font-size:11px;font-family:Menlo"> dpdaction=clear</p><p style="margin:0px;font-size:11px;font-family:Menlo"> auto=add</p><p style="margin:0px;font-size:11px;font-family:Menlo">###########END</p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">LAN subnet: 192.168.2.x</p><p style="margin:0px;font-size:11px;font-family:Menlo">WAN IP: 86.158.x.x</p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">My LAN is behind firewall (192.168.2.1) - I’ve setup port redirect (ipsec ports - UDP 500 and 4500) to strongSwan server (Raspberry Pi, 192.168.2.102).</p><p style="margin:0px;font-size:11px;font-family:Menlo">I’ve also set following on raspberry Pi:</p><p style="margin:0px;font-size:11px;font-family:Menlo">echo 1 > /proc/sys/net/ipv4/ip_forward</p><p style="margin:0px;font-size:11px;font-family:Menlo">echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects</p><p style="margin:0px;font-size:11px;font-family:Menlo">echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects</p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">Status of connection:</p><p style="margin:0px;font-size:11px;font-family:Menlo">>ipsec status</p><p style="margin:0px;font-size:11px;font-family:Menlo">Security Associations (1 up, 0 connecting):</p><p style="margin:0px;font-size:11px;font-family:Menlo"> ios[1]: ESTABLISHED 38 seconds ago, 192.168.2.102[C=CH, O=strongSwan, CN=86.158.x.x]…188.198.x.x[C=CH, O=strongSwan, CN=<a href="mailto:xxx.xxx@gmail.com" target="_blank">xxx.xxx@gmail.com</a>]</p><p style="margin:0px;font-size:11px;font-family:Menlo"> ios{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c5dd1b9d_i 069cc5f0_o</p><p style="margin:0px;font-size:11px;font-family:Menlo"> ios{1}: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> === <a href="http://10.0.0.1/32" target="_blank">10.0.0.1/32</a></p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">Can someone help me with iptable settings? How to set it up, so strongSwan clients will be able to access LAN subnet?</p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">Thanks</p><div><br></div></div>
</blockquote></div><br></div>