[strongSwan] StrongSWAN and AVM Fritzbox - Help!

Rene Bartsch rene at bartschnet.de
Sat Feb 12 16:59:54 CET 2011


Hi,

I'm new to IPSec and StrongSWAN, so a "Hello" to all list members! ;-)


Setting up a VPN tunnel between two Fritzboxes and a Ubuntu server drives
me crazy.

Packets from the private subnet of the Ubuntu server lead to a VPN tunnel
creation and everything working fine, but packets from the subnets of the
Fritzboxes do not cause Strongswan to create a connection.

Maybe someone can help me out here.


Setup:


1x Ubuntu 10.04 LTS server, fixed public IP and Hostname, 192.168.176.0/24
private Subnet, StrongSWAN 4.3.2-1.1ubuntu1, IPTables firewall with "DROP"
default policy for INPUT and FORWARD chains and "ACCEPT" for OUTPUT


1x AVM Fritzbox 7390, one dynamic public IP, ISP-forced DSL disconnection
every 24 hours, DDNS-Hostname, 192.168.177.0/24 private Subnet, Internet
via NAT


1x AVM Fritzbox 7170, one dynamic public IP, ISP-forced DSL disconnection
every 24 hours, DDNS-Hostname, 192.168.178.0/24 private Subnet, Internet
via NAT


- all hosts on the private subnets shall be able to connect to each other
- hosts on the Fritzboxes are able to reach public internet via NAT and
local DSL
- hosts in 192.168.176.0/24 shall not have any connection to public
internet.



Fritzbox VPN config:

vpncfg {

        connections {

                enabled = yes;

                conn_type = conntype_lan;

                name = "xxx.xxx.xxx.xxx";

                always_renew = no;

                reject_not_encrypted = no;

                dont_filter_netbios = yes;

                localip = 0.0.0.0;

                local_virtualip = 0.0.0.0;

                remoteip = xxx.xxx.xxx.xxx;

                remote_virtualip = 0.0.0.0;

                localid {

                        fqdn = "xxx.dnsalias.net";

                }

                remoteid {

                        ipaddr = xxx.xxx.xxx.xxx;

                }

                mode = phase1_mode_idp;

                phase1ss = "all/all/all";

                keytype = connkeytype_pre_shared;

                key = "xxxxxxxxxxxxxxxxxxxxxx";

                cert_do_server_auth = no;

                use_nat_t = no;

                use_xauth = no;

                use_cfgmode = no;

                phase2localid {

                        ipnet {

                                ipaddr = 192.168.177.0;

                                mask = 255.255.255.0;

                        }

                }

                phase2remoteid {

                        ipnet {

                                ipaddr = 192.168.176.0;

                                mask = 255.255.255.0;

                        }

                }

                phase2ss = "esp-all-all/ah-none/comp-all/pfs";

                accesslist = "permit ip any 192.168.176.0 255.255.255.0";

        }

        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",

                            "udp 0.0.0.0:4500 0.0.0.0:4500";

}



StrongSWAN config:


# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# plutodebug=all
	# crlcheckinterval=600
	# strictcrlpolicy=yes
	# cachecrls=yes
	nat_traversal=no
	charonstart=yes
	plutostart=yes

# Add connections here.

# Sample VPN connections

conn frankfurt-giessen
    left=xxx.xxx.xxx.xxx
    leftsubnet=192.168.176.0/24
    leftfirewall=yes
    #
    ike=aes128-sha-modp1024
    esp=aes128-sha1
    #
    right=xxx.dnsalias.net
    rightid=@xxx.dnsalias.net
    rightsubnet=192.168.177.0/24
    #
    ikelifetime=4h
    keylife=1h
    #
    authby=secret
    auto=route



ipsec.secrets:


# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

# this file is managed with debconf and will contain the automatically
created private key
xxx.xxx.xxx.xxx @xxx.dnsalias.net: PSK "xxxxxxxxxxxxxxxxxxxxxx"
#include /var/lib/strongswan/ipsec.secrets.incroot


AVM provides Information about IPSec VPN:

Security strategies for IKE1:
http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_1.pdf

Security strategies for IKE2:
http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_2.pdf


Best regards,

Renne





More information about the Users mailing list