[strongSwan] pure ipsec openwrt
Andrea Nottoli
andreanottoli at gmail.com
Mon Oct 3 15:27:28 CEST 2011
Hi again,
It doesn't works :(
I still can ping router and also manage it trough webGui, but can't reach other machines :(
I've edited the suggested rules for adjust to my ifconfig but without success, other ideas?
Sure, the problem is related to nat from ppp/wan to lan and vice-versa.
This is my ifconfig
wan interface is eth0.2, wih a pppoe-wan connection over it.
eth0.1 is the lan interface, bridget (br-lan) with eth0.2.
so i've edited the rules suggested by Rajiv with eth0.2 instead eth0 (wan) and eth0.1 instead eth2 (lan). Also changed ppp0 with pppoe-wan according to ifconfig (below).
Thanks again for your help, hope to finally solve this strange (and abnormal) issue with my ipsec config.
root at OpenWrt:~# ifconfig
br-lan Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9450776 errors:0 dropped:0 overruns:0 frame:0
TX packets:21936047 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1169972374 (1.0 GiB) TX bytes:495910714 (472.9 MiB)
eth0 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:32253959 errors:0 dropped:0 overruns:0 frame:0
TX packets:31904139 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2811514789 (2.6 GiB) TX bytes:1757630697 (1.6 GiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9841290 errors:0 dropped:0 overruns:0 frame:0
TX packets:22001555 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1856031729 (1.7 GiB) TX bytes:306500736 (292.3 MiB)
eth0.2 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22412477 errors:0 dropped:0 overruns:0 frame:0
TX packets:9902574 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:503906886 (480.5 MiB) TX bytes:1451128324 (1.3 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:58 errors:0 dropped:0 overruns:0 frame:0
TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5341 (5.2 KiB) TX bytes:5341 (5.2 KiB)
mon.wlan0 Link encap:UNSPEC HWaddr 74-EA-3A-E4-47-52-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:55353 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8881039 (8.4 MiB) TX bytes:0 (0.0 B)
pppoe-wan Link encap:Point-to-Point Protocol
inet addr:79.XX.XX.XXX P-t-P:192.168.100.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:1818589 errors:0 dropped:0 overruns:0 frame:0
TX packets:713853 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:2430544726 (2.2 GiB) TX bytes:56985105 (54.3 MiB)
wlan0 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:494648 errors:0 dropped:0 overruns:0 frame:0
TX packets:837753 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:72276624 (68.9 MiB) TX bytes:1022316479 (974.9 MiB)
Il giorno 27/set/2011, alle ore 09:47, Rajiv Kulkarni ha scritto:
> Hi
>
> Assuming that you have NAT (MASQUERADE) enabled on wan (say eth0 interface) of your home router (with a pppoe connection to internet) and the LAN interface is identified as eth2, then i would request you to please try out the below iptable rules also:
>
> iptables -A INPUT -p esp -j ACCEPT
> iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> iptables -A OUTPUT -p esp -j ACCEPT
> iptables -A OUTPUT -p udp -m udp --dport 500 -j ACCEPT
> iptables -t nat -I POSTROUTING 1 -p esp -j ACCEPT
> iptables -t nat -I POSTROUTING 2 -s 192.168.1.0/24 -d 172.20.0.0/16 -j ACCEPT
> iptables -I FORWARD 3 -i eth2 -o ppp0 -j ACCEPT
> iptables -I FORWARD 4 -i eth2 -o eth0 -j ACCEPT
> iptables -I FORWARD 5 -i ppp0 -o eth2 -j ACCEPT
> iptables -I FORWARD 6 -i eth0 -o eth2 -j ACCEPT
>
> please Note: the rules for the nat table should be added before the MASQUERADE rule, if any. hence the numbers 1 and 2.
>
> The basic reason i think is that the packets aren't getting forwarded across the wan to lan interfaces and vice-versa, once the ipsec tunnel is up.
>
> 1. you can try only ipsec first by disabling firewall completely
> 2. next enable the existing firewall rules and ipsec and see where its getting dropped. also try to add some the rules mentioned above.
>
> i think it should work if 1 above works
>
> -rajiv
>
>
>
> On Mon, Sep 26, 2011 at 8:08 PM, Andrea Nottoli <andreanottoli at gmail.com> wrote:
> Hi everybody and sorry for my really bad english.
>
> i've a problem with StrongSwan on latest OpenWRT firmware.
> I followed the tutorial on the wiki for setting-up a vpn server for connect to my home lan trough my iphone and ipad (so IKEv1 and PureIPSec).
> I can connect and login (x509 cert) but i cant pin't my lan machine (es. my NAS).
> Seems iptables block navigation from wan to lan also during pure ipsec connection.
>
> OpenWRT router ip: 192.168.1.254
> Connection to internet: pppoe trough adsl modem
>
>
> I've opened esp proto, 500 udp, 4500 udp, ah proto and added some policies for forward ipsec traffics but seems that isn't enough (check bottom).
>
>
> Someone can help me? Thanks since now strongswan team!
>
>
>
>
> This is my ipsec.conf
>
> config setup
> strictcrlpolicy=no
> nat_traversal=yes
> charonstart=yes
>
> conn ios
> keyexchange=ikev1
> authby=xauthrsasig
> xauth=server
> leftfirewall=yes
> left=%defaultroute
> leftsubnet=0.0.0.0/0
> leftcert=serverCert.pem
> rightsourceip=192.168.1.25
> rightsubnet=192.168.1.0/24
> right=%any
> rightcert=clientCert.pem
> pfs=no
> auto=add
>
>
>
>
>
> this is my firewall.users (a text file for custom rules loaded during firewall start from OpenWRT):
>
> /usr/sbin/iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
> /usr/sbin/iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
> /usr/sbin/iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
> /usr/sbin/iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
>
>
>
>
> this is my firewall.conf (the base file loaded fro firewall configuration every start, after this openwrt load the firewall.users script):
> config 'defaults'
> option 'syn_flood' '1'
> option 'input' 'ACCEPT'
> option 'output' 'ACCEPT'
> option 'drop_invalid' '1'
> option 'forward' 'ACCEPT'
>
> config 'zone'
> option 'name' 'lan'
> option 'network' 'lan'
> option 'input' 'ACCEPT'
> option 'output' 'ACCEPT'
> option 'forward' 'REJECT'
>
> config 'zone'
> option 'name' 'wan'
> option 'network' 'wan'
> option 'output' 'ACCEPT'
> option 'mtu_fix' '1'
> option 'masq' '1'
> option 'input' 'REJECT'
> option 'forward' 'REJECT'
>
> config 'rule'
> option 'src' 'wan'
> option 'proto' 'udp'
> option 'dest_port' '68'
> option 'target' 'ACCEPT'
> option 'family' 'ipv4'
>
> config 'rule'
> option 'src' 'wan'
> option 'proto' 'icmp'
> option 'icmp_type' 'echo-request'
> option 'target' 'ACCEPT'
>
> config 'include'
> option 'path' '/etc/firewall.user'
>
> config 'forwarding'
> option 'dest' 'wan'
> option 'src' 'lan'
>
> config 'redirect'
> option '_name' 'qBittorrent verso nas'
> option 'src' 'wan'
> option 'proto' 'tcp'
> option 'src_dport' '6881'
> option 'dest_ip' '192.168.1.1'
> option 'dest_port' '6881'
> option 'target' 'DNAT'
> option 'dest' 'lan'
>
> config 'rule'
> option 'target' 'ACCEPT'
> option '_name' 'PPPTP VPN'
> option 'src' 'wan'
> option 'proto' 'udp'
> option 'dest_port' '1723'
>
> config 'rule'
> option 'target' 'ACCEPT'
> option '_name' 'accetta esp'
> option 'src' 'wan'
> option 'proto' 'esp'
>
> config 'rule'
> option 'target' 'ACCEPT'
> option '_name' 'accetta ike'
> option 'src' 'wan'
> option 'proto' 'udp'
> option 'dest_port' '500'
>
> config 'rule'
> option 'target' 'ACCEPT'
> option '_name' 'accetta nat-t'
> option 'src' 'wan'
> option 'proto' 'udp'
> option 'dest_port' '4500'
>
> config 'rule'
> option 'target' 'ACCEPT'
> option '_name' 'accetta ah'
> option 'src' 'wan'
> option 'proto' 'ah'
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111003/7a409248/attachment.html>
More information about the Users
mailing list