<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Hello</p>
<p><br /></p>
<p>I am trying to make a "static tunnel" between my raspberry pi in my home network and a server in the internet. The raspberry pi is behind NAT, provided by a DD-WRT router. The server has one public IP address. The purpose of the tunnel is to create a fixed endpoint secure connection between the raspberry pi and the server in the internet as my home connection does not have a static IP. I want to initiate the connection from the raspberry pie. I would like the server to remain accessible for the other hosts in my home network and also raspberry pie accessible from the home network and internet (certain services through port forwarding on dd-wrt, for example my openvpn server for roadwarriors). Raspberry pie should not access the internet through the internet server/ipsec connection</p>
<p>Am I wrong to create a host-to-host transport mode connection? I took StrongSwan KVM tests / ikev2 /host2host-transport-nat as a reference. I managed to get an established connection but, the server could not ping the raspberry pi and my other home network machines could not reach the server when the tunnel was up. I added the following rules to the DD-WRT router:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<p>iptables -t nat -I POSTROUTING 2 -o <dd-wrt external interface> -s <raspberry pie ip>/32 -j MASQUERADE<br />iptables -I FORWARD 3 -i <span><dd-wrt internal interface></span> -o <span><dd-wrt external interface></span> -s <span><raspberry pie ip></span>/32 -j ACCEPT<br />iptables -I FORWARD 4 -i <span><dd-wrt external interface></span> -o <span><dd-wrt internal interface></span> -d <span><raspberry pie ip></span>/32 -j ACCEPT</p>
</blockquote>
<p>I could see that the rules got triggered. Do I have make udp port 500, 4500 rules for the INPUT chain also? I have done those for the server, without them I couldn't establish a connection.</p>
<p><br /></p>
<p>configuration of the internet server (Linux kernel 4.4.0-150 x86_64 GNU/Linux and strongswan version 5.3.5 from package repo):</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<p>config setup<br /> charondebug="all"<br /> uniqueids=yes<br /> strictcrlpolicy=no</p>
<p># tunnel for<br />conn raspberry-ipsec<br /> authby=secret<br /> type=transport<br /> left=server_public_ip<br /> leftid=@server_fqdn<br /> leftfirewall=yes<br /> right=%any<br /> ike=aes192-sha256-modp3072!<br /> esp=aes192-sha256-ecp256-modp3072!<br /> keyingtries=0<br /> ikelifetime=1h<br /> lifetime=8h<br /> dpddelay=30<br /> dpdtimeout=120<br /> dpdaction=restart<br /> auto=add</p>
</blockquote>
<p>configuration of the raspberry pie (Linux raspian kernel 4.19.42-v7+ armv7l GNU/Linux and strongswan version 5.5.1 from package repo):</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<p>config setup<br /> charondebug="all"<br /> uniqueids=yes<br /> strictcrlpolicy=no</p>
<p># tunnel for<br />conn server-ipsec<br /> authby=secret<br /> type=transport<br /> leftfirewall=yes<br /> right=<span>server_public_ip</span><br /> rightid=<span>@server_</span><span>fqdn</span><br /> ike=aes192-sha256-modp3072!<br /> esp=aes192-sha256-ecp256-modp3072!<br /> keyingtries=0<br /> ikelifetime=1h<br /> lifetime=8h<br /> dpddelay=30<br /> dpdtimeout=120<br /> dpdaction=restart<br /> auto=add</p>
</blockquote>
<p>Am I doing something wrong? Should I compile newer versions? Is my reference configuration (<span>host2host-transport-nat</span>) the wrong pick? I also tried host2host-transport-connmark sample with added mark=%unique on the server side, but got an error saying that to access iptables something must be run as root. </p>
<p><br /></p>
<p>Thank You all in advance,</p>
<p><br /></p>
<p>Oliver</p>
<p><br /></p>
<p><br /></p>
</body></html>