[strongSwan] StrongSWAN and AVM Fritzbox - Help!
Rene Bartsch
ml at bartschnet.de
Sat Feb 12 17:02:22 CET 2011
Hi,
I'm new to IPSec and StrongSWAN, so a "Hello" to all list members! ;-)
Setting up a VPN tunnel between two Fritzboxes and a Ubuntu server drives
me crazy.
Packets from the private subnet of the Ubuntu server lead to a VPN tunnel
creation and everything working fine, but packets from the subnets of the
Fritzboxes do not cause Strongswan to create a connection.
Maybe someone can help me out here.
Setup:
1x Ubuntu 10.04 LTS server, fixed public IP and Hostname, 192.168.176.0/24
private Subnet, StrongSWAN 4.3.2-1.1ubuntu1, IPTables firewall with "DROP"
default policy for INPUT and FORWARD chains and "ACCEPT" for OUTPUT
1x AVM Fritzbox 7390, one dynamic public IP, ISP-forced DSL disconnection
every 24 hours, DDNS-Hostname, 192.168.177.0/24 private Subnet, Internet
via NAT
1x AVM Fritzbox 7170, one dynamic public IP, ISP-forced DSL disconnection
every 24 hours, DDNS-Hostname, 192.168.178.0/24 private Subnet, Internet
via NAT
- all hosts on the private subnets shall be able to connect to each other
- hosts on the Fritzboxes are able to reach public internet via NAT and
local DSL
- hosts in 192.168.176.0/24 shall not have any connection to public
internet.
Fritzbox VPN config:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "xxx.xxx.xxx.xxx";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = xxx.xxx.xxx.xxx;
remote_virtualip = 0.0.0.0;
localid {
fqdn = "xxx.dnsalias.net";
}
remoteid {
ipaddr = xxx.xxx.xxx.xxx;
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "xxxxxxxxxxxxxxxxxxxxxx";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.177.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.176.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.176.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
StrongSWAN config:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=no
charonstart=yes
plutostart=yes
# Add connections here.
# Sample VPN connections
conn frankfurt-giessen
left=xxx.xxx.xxx.xxx
leftsubnet=192.168.176.0/24
leftfirewall=yes
#
ike=aes128-sha-modp1024
esp=aes128-sha1
#
right=xxx.dnsalias.net
rightid=@xxx.dnsalias.net
rightsubnet=192.168.177.0/24
#
ikelifetime=4h
keylife=1h
#
authby=secret
auto=route
ipsec.secrets:
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
# this file is managed with debconf and will contain the automatically
created private key
xxx.xxx.xxx.xxx @xxx.dnsalias.net: PSK "xxxxxxxxxxxxxxxxxxxxxx"
#include /var/lib/strongswan/ipsec.secrets.incroot
AVM provides Information about IPSec VPN:
Security strategies for IKE1:
http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_1.pdf
Security strategies for IKE2:
http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_2.pdf
Best regards,
Renne
More information about the Users
mailing list