[strongSwan] StrongSWAN and AVM Fritzbox - Help!
Rene Bartsch
ml at bartschnet.de
Sat Feb 12 20:15:32 CET 2011
Hello Andreas,
After using tcpdump I set all IPTables policies to "ACCEPT" and
doing a flush of all rules lead to a working VPN.
Which IPtables rules do I have to set to allow IPSec connection handshake?
Best regards,
Renne
On Sat, 12 Feb 2011 18:12:07 +0100, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hello Rene,
>
> strongSwan never sets up a tunnel based on incoming plaintext
> packets. With auto=route only outgoing plaintext trigger the
> setup of an IPsec tunnel. Packets from a subnet behind the
> Fritzbox should cause the Fritzbox to initiate an IKE negotiation.
>
> In any case a tcpdump or wireshark log and a strongSwan log
> with
>
> plutodebug="control"
>
> would help to check if any IKE packets are leaving the Fritzbox
> and arriving at the strongSwan box.
>
> Best regards
>
> Andreas
>
> On 02/12/2011 05:02 PM, Rene Bartsch wrote:
>> Hi,
>>
>> I'm new to IPSec and StrongSWAN, so a "Hello" to all list members! ;-)
>>
>>
>> Setting up a VPN tunnel between two Fritzboxes and a Ubuntu server
drives
>> me crazy.
>>
>> Packets from the private subnet of the Ubuntu server lead to a VPN
tunnel
>> creation and everything working fine, but packets from the subnets of
the
>> Fritzboxes do not cause Strongswan to create a connection.
>>
>> Maybe someone can help me out here.
>>
>>
>> Setup:
>>
>>
>> 1x Ubuntu 10.04 LTS server, fixed public IP and Hostname,
>> 192.168.176.0/24
>> private Subnet, StrongSWAN 4.3.2-1.1ubuntu1, IPTables firewall with
>> "DROP"
>> default policy for INPUT and FORWARD chains and "ACCEPT" for OUTPUT
>>
>>
>> 1x AVM Fritzbox 7390, one dynamic public IP, ISP-forced DSL
disconnection
>> every 24 hours, DDNS-Hostname, 192.168.177.0/24 private Subnet,
Internet
>> via NAT
>>
>>
>> 1x AVM Fritzbox 7170, one dynamic public IP, ISP-forced DSL
disconnection
>> every 24 hours, DDNS-Hostname, 192.168.178.0/24 private Subnet,
Internet
>> via NAT
>>
>>
>> - all hosts on the private subnets shall be able to connect to each
other
>> - hosts on the Fritzboxes are able to reach public internet via NAT and
>> local DSL
>> - hosts in 192.168.176.0/24 shall not have any connection to public
>> internet.
>>
>>
>>
>> Fritzbox VPN config:
>>
>> vpncfg {
>>
>> connections {
>>
>> enabled = yes;
>>
>> conn_type = conntype_lan;
>>
>> name = "xxx.xxx.xxx.xxx";
>>
>> always_renew = no;
>>
>> reject_not_encrypted = no;
>>
>> dont_filter_netbios = yes;
>>
>> localip = 0.0.0.0;
>>
>> local_virtualip = 0.0.0.0;
>>
>> remoteip = xxx.xxx.xxx.xxx;
>>
>> remote_virtualip = 0.0.0.0;
>>
>> localid {
>>
>> fqdn = "xxx.dnsalias.net";
>>
>> }
>>
>> remoteid {
>>
>> ipaddr = xxx.xxx.xxx.xxx;
>>
>> }
>>
>> mode = phase1_mode_idp;
>>
>> phase1ss = "all/all/all";
>>
>> keytype = connkeytype_pre_shared;
>>
>> key = "xxxxxxxxxxxxxxxxxxxxxx";
>>
>> cert_do_server_auth = no;
>>
>> use_nat_t = no;
>>
>> use_xauth = no;
>>
>> use_cfgmode = no;
>>
>> phase2localid {
>>
>> ipnet {
>>
>> ipaddr = 192.168.177.0;
>>
>> mask = 255.255.255.0;
>>
>> }
>>
>> }
>>
>> phase2remoteid {
>>
>> ipnet {
>>
>> ipaddr = 192.168.176.0;
>>
>> mask = 255.255.255.0;
>>
>> }
>>
>> }
>>
>> phase2ss = "esp-all-all/ah-none/comp-all/pfs";
>>
>> accesslist = "permit ip any 192.168.176.0
255.255.255.0";
>>
>> }
>>
>> ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
>>
>> "udp 0.0.0.0:4500 0.0.0.0:4500";
>>
>> }
>>
>>
>>
>> StrongSWAN config:
>>
>>
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>> # plutodebug=all
>> # crlcheckinterval=600
>> # strictcrlpolicy=yes
>> # cachecrls=yes
>> nat_traversal=no
>> charonstart=yes
>> plutostart=yes
>>
>> # Add connections here.
>>
>> # Sample VPN connections
>>
>> conn frankfurt-giessen
>> left=xxx.xxx.xxx.xxx
>> leftsubnet=192.168.176.0/24
>> leftfirewall=yes
>> #
>> ike=aes128-sha-modp1024
>> esp=aes128-sha1
>> #
>> right=xxx.dnsalias.net
>> rightid=@xxx.dnsalias.net
>> rightsubnet=192.168.177.0/24
>> #
>> ikelifetime=4h
>> keylife=1h
>> #
>> authby=secret
>> auto=route
>>
>>
>>
>> ipsec.secrets:
>>
>>
>> # This file holds shared secrets or RSA private keys for inter-Pluto
>> # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
>>
>> # RSA private key for this host, authenticating it to any other host
>> # which knows the public part. Suitable public keys, for ipsec.conf,
>> DNS,
>> # or configuration of other implementations, can be extracted
>> conveniently
>> # with "ipsec showhostkey".
>>
>> # this file is managed with debconf and will contain the automatically
>> created private key
>> xxx.xxx.xxx.xxx @xxx.dnsalias.net: PSK "xxxxxxxxxxxxxxxxxxxxxx"
>> #include /var/lib/strongswan/ipsec.secrets.incroot
>>
>>
>> AVM provides Information about IPSec VPN:
>>
>> Security strategies for IKE1:
>>
http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_1.pdf
>>
>> Security strategies for IKE2:
>>
http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_2.pdf
>>
>>
>> Best regards,
>>
>> Renne
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list