[strongSwan] StrongSWAN and AVM Fritzbox - Help!
Andreas Steffen
andreas.steffen at strongswan.org
Sat Feb 12 18:12:07 CET 2011
Hello Rene,
strongSwan never sets up a tunnel based on incoming plaintext
packets. With auto=route only outgoing plaintext trigger the
setup of an IPsec tunnel. Packets from a subnet behind the
Fritzbox should cause the Fritzbox to initiate an IKE negotiation.
In any case a tcpdump or wireshark log and a strongSwan log
with
plutodebug="control"
would help to check if any IKE packets are leaving the Fritzbox
and arriving at the strongSwan box.
Best regards
Andreas
On 02/12/2011 05:02 PM, Rene Bartsch wrote:
> Hi,
>
> I'm new to IPSec and StrongSWAN, so a "Hello" to all list members! ;-)
>
>
> Setting up a VPN tunnel between two Fritzboxes and a Ubuntu server drives
> me crazy.
>
> Packets from the private subnet of the Ubuntu server lead to a VPN tunnel
> creation and everything working fine, but packets from the subnets of the
> Fritzboxes do not cause Strongswan to create a connection.
>
> Maybe someone can help me out here.
>
>
> Setup:
>
>
> 1x Ubuntu 10.04 LTS server, fixed public IP and Hostname, 192.168.176.0/24
> private Subnet, StrongSWAN 4.3.2-1.1ubuntu1, IPTables firewall with "DROP"
> default policy for INPUT and FORWARD chains and "ACCEPT" for OUTPUT
>
>
> 1x AVM Fritzbox 7390, one dynamic public IP, ISP-forced DSL disconnection
> every 24 hours, DDNS-Hostname, 192.168.177.0/24 private Subnet, Internet
> via NAT
>
>
> 1x AVM Fritzbox 7170, one dynamic public IP, ISP-forced DSL disconnection
> every 24 hours, DDNS-Hostname, 192.168.178.0/24 private Subnet, Internet
> via NAT
>
>
> - all hosts on the private subnets shall be able to connect to each other
> - hosts on the Fritzboxes are able to reach public internet via NAT and
> local DSL
> - hosts in 192.168.176.0/24 shall not have any connection to public
> internet.
>
>
>
> Fritzbox VPN config:
>
> vpncfg {
>
> connections {
>
> enabled = yes;
>
> conn_type = conntype_lan;
>
> name = "xxx.xxx.xxx.xxx";
>
> always_renew = no;
>
> reject_not_encrypted = no;
>
> dont_filter_netbios = yes;
>
> localip = 0.0.0.0;
>
> local_virtualip = 0.0.0.0;
>
> remoteip = xxx.xxx.xxx.xxx;
>
> remote_virtualip = 0.0.0.0;
>
> localid {
>
> fqdn = "xxx.dnsalias.net";
>
> }
>
> remoteid {
>
> ipaddr = xxx.xxx.xxx.xxx;
>
> }
>
> mode = phase1_mode_idp;
>
> phase1ss = "all/all/all";
>
> keytype = connkeytype_pre_shared;
>
> key = "xxxxxxxxxxxxxxxxxxxxxx";
>
> cert_do_server_auth = no;
>
> use_nat_t = no;
>
> use_xauth = no;
>
> use_cfgmode = no;
>
> phase2localid {
>
> ipnet {
>
> ipaddr = 192.168.177.0;
>
> mask = 255.255.255.0;
>
> }
>
> }
>
> phase2remoteid {
>
> ipnet {
>
> ipaddr = 192.168.176.0;
>
> mask = 255.255.255.0;
>
> }
>
> }
>
> phase2ss = "esp-all-all/ah-none/comp-all/pfs";
>
> accesslist = "permit ip any 192.168.176.0 255.255.255.0";
>
> }
>
> ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
>
> "udp 0.0.0.0:4500 0.0.0.0:4500";
>
> }
>
>
>
> StrongSWAN config:
>
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> # plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> nat_traversal=no
> charonstart=yes
> plutostart=yes
>
> # Add connections here.
>
> # Sample VPN connections
>
> conn frankfurt-giessen
> left=xxx.xxx.xxx.xxx
> leftsubnet=192.168.176.0/24
> leftfirewall=yes
> #
> ike=aes128-sha-modp1024
> esp=aes128-sha1
> #
> right=xxx.dnsalias.net
> rightid=@xxx.dnsalias.net
> rightsubnet=192.168.177.0/24
> #
> ikelifetime=4h
> keylife=1h
> #
> authby=secret
> auto=route
>
>
>
> ipsec.secrets:
>
>
> # This file holds shared secrets or RSA private keys for inter-Pluto
> # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
>
> # RSA private key for this host, authenticating it to any other host
> # which knows the public part. Suitable public keys, for ipsec.conf, DNS,
> # or configuration of other implementations, can be extracted conveniently
> # with "ipsec showhostkey".
>
> # this file is managed with debconf and will contain the automatically
> created private key
> xxx.xxx.xxx.xxx @xxx.dnsalias.net: PSK "xxxxxxxxxxxxxxxxxxxxxx"
> #include /var/lib/strongswan/ipsec.secrets.incroot
>
>
> AVM provides Information about IPSec VPN:
>
> Security strategies for IKE1:
> http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_1.pdf
>
> Security strategies for IKE2:
> http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_2.pdf
>
>
> Best regards,
>
> Renne
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list