[strongSwan] pure ipsec openwrt
Andrea Nottoli
andreanottoli at gmail.com
Fri Oct 7 20:33:14 CEST 2011
Hi Rajiv,
i've tried also without leftfirewall=yes and checket my ifconfig but still cant' access other machine.
brlan is the default config installed with OpenWRT backfire, it bridge lan&wlan.
I'm movin' on think that is a routing-table problem and not a iptables problem..
With the same strongswan config on my ubuntu-server with ipsec/ike forwarded rules works like a charme so eventually i can use the server instead that the openwrt router... but i'm really couriose to know why on openwrt it doesn't works....
This is my config/network that setup the interfaces on boot:
root at OpenWrt:~# cat /etc/config/network
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'lan'
option 'ifname' 'eth0.1'
option 'type' 'bridge'
option 'proto' 'static'
option 'netmask' '255.255.255.0'
option 'ipaddr' '192.168.1.254'
option 'dns' '212.216.112.112'
config 'interface' 'wan'
option 'ifname' 'eth0.2'
option 'proto' 'pppoe'
option 'username' 'aliceadsl'
option 'password' 'aliceadsl'
config 'switch'
option 'name' 'rtl8366rb'
option 'reset' '1'
option 'enable_vlan' '1'
config 'switch_vlan'
option 'device' 'rtl8366rb'
option 'vlan' '1'
option 'ports' '1 2 3 4 5t'
config 'switch_vlan'
option 'device' 'rtl8366rb'
option 'vlan' '2'
option 'ports' '0 5t'
and this is the ifconfig for cross-check:
root at OpenWrt:~# ifconfig -a
br-lan Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16803908 errors:0 dropped:0 overruns:0 frame:0
TX packets:38703393 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1671781787 (1.5 GiB) TX bytes:2157668786 (2.0 GiB)
eth0 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:57204339 errors:0 dropped:0 overruns:0 frame:0
TX packets:56721947 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1423523216 (1.3 GiB) TX bytes:4122991431 (3.8 GiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17244624 errors:0 dropped:0 overruns:0 frame:0
TX packets:38682121 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2712052549 (2.5 GiB) TX bytes:1898068553 (1.7 GiB)
eth0.2 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:39959523 errors:0 dropped:0 overruns:0 frame:0
TX packets:18039816 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2205556469 (2.0 GiB) TX bytes:2224921241 (2.0 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:134 errors:0 dropped:0 overruns:0 frame:0
TX packets:134 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18184 (17.7 KiB) TX bytes:18184 (17.7 KiB)
mon.wlan0 Link encap:UNSPEC HWaddr 74-EA-3A-E4-47-52-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:82656 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11862343 (11.3 MiB) TX bytes:0 (0.0 B)
pppoe-wan Link encap:Point-to-Point Protocol
inet addr:82.61.137.228 P-t-P:192.168.100.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:6428701 errors:0 dropped:0 overruns:0 frame:0
TX packets:2735350 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:749431252 (714.7 MiB) TX bytes:162081478 (154.5 MiB)
wlan0 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:824884 errors:0 dropped:0 overruns:0 frame:0
TX packets:1331143 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:117700186 (112.2 MiB) TX bytes:1545176556 (1.4 GiB)
Il giorno 04/ott/2011, alle ore 09:33, Rajiv Kulkarni ha scritto:
> Hi
>
> I would suggest you to do one more thing:
>
> - Remove the "leftfirewall=yes" from the ipsec.conf on both peers (if it is mentioned on remote peer too)
>
> - Manually add/paste the mentioned iptable rules which is basically simulating a split-tunnel scenario as shown in the attached png file. Also add the forward-chain rules with br-lan interface also, if possible
>
> - Logically speaking it should get solved with above steps
>
> But looking at your device config (the interfaces mentioned), i guess the issues may be because:
>
> - are there VLANs/sub-interfaces/alias-interfaces defined on Eth0?
>
> - Is there a Physical lan interface on your device? such as eth1 or eth2 (i.e other than eth0 which is i guess the wan interface)
>
> - why are you bridging the wan interface (eth0.2 or pppoe-wan) with lan (eth0.1). Although it should work, but the ipsec flow gets sometimes disrupted due to routing issues, when everything is bridged together.
>
> - I would generally keep the wan interface separate/standalone, and instead bridge the lan and wifi interface together (and i do run dhcp-server on the br0 interface to cater to the lan-side ethernet and wifi clients)
>
> hope this works
>
> thanks
> rajiv
>
>
>
>
> On Mon, Oct 3, 2011 at 6:57 PM, Andrea Nottoli <andreanottoli at gmail.com> wrote:
> Hi again,
> It doesn't works :(
> I still can ping router and also manage it trough webGui, but can't reach other machines :(
>
> I've edited the suggested rules for adjust to my ifconfig but without success, other ideas?
> Sure, the problem is related to nat from ppp/wan to lan and vice-versa.
>
> This is my ifconfig
> wan interface is eth0.2, wih a pppoe-wan connection over it.
> eth0.1 is the lan interface, bridget (br-lan) with eth0.2.
>
> so i've edited the rules suggested by Rajiv with eth0.2 instead eth0 (wan) and eth0.1 instead eth2 (lan). Also changed ppp0 with pppoe-wan according to ifconfig (below).
>
> Thanks again for your help, hope to finally solve this strange (and abnormal) issue with my ipsec config.
>
>
>
> root at OpenWrt:~# ifconfig
> br-lan Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
> inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
> inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:9450776 errors:0 dropped:0 overruns:0 frame:0
> TX packets:21936047 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:1169972374 (1.0 GiB) TX bytes:495910714 (472.9 MiB)
>
> eth0 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
> inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:32253959 errors:0 dropped:0 overruns:0 frame:0
> TX packets:31904139 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:2811514789 (2.6 GiB) TX bytes:1757630697 (1.6 GiB)
> Interrupt:4
>
> eth0.1 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:9841290 errors:0 dropped:0 overruns:0 frame:0
> TX packets:22001555 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:1856031729 (1.7 GiB) TX bytes:306500736 (292.3 MiB)
>
> eth0.2 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
> inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:22412477 errors:0 dropped:0 overruns:0 frame:0
> TX packets:9902574 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:503906886 (480.5 MiB) TX bytes:1451128324 (1.3 GiB)
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:58 errors:0 dropped:0 overruns:0 frame:0
> TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:5341 (5.2 KiB) TX bytes:5341 (5.2 KiB)
>
> mon.wlan0 Link encap:UNSPEC HWaddr 74-EA-3A-E4-47-52-00-00-00-00-00-00-00-00-00-00
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:55353 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:8881039 (8.4 MiB) TX bytes:0 (0.0 B)
>
> pppoe-wan Link encap:Point-to-Point Protocol
> inet addr:79.XX.XX.XXX P-t-P:192.168.100.1 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
> RX packets:1818589 errors:0 dropped:0 overruns:0 frame:0
> TX packets:713853 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
> RX bytes:2430544726 (2.2 GiB) TX bytes:56985105 (54.3 MiB)
>
> wlan0 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:494648 errors:0 dropped:0 overruns:0 frame:0
> TX packets:837753 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:72276624 (68.9 MiB) TX bytes:1022316479 (974.9 MiB)
>
>
>
>
>
>
> Il giorno 27/set/2011, alle ore 09:47, Rajiv Kulkarni ha scritto:
>
>> Hi
>>
>> Assuming that you have NAT (MASQUERADE) enabled on wan (say eth0 interface) of your home router (with a pppoe connection to internet) and the LAN interface is identified as eth2, then i would request you to please try out the below iptable rules also:
>>
>> iptables -A INPUT -p esp -j ACCEPT
>> iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
>> iptables -A OUTPUT -p esp -j ACCEPT
>> iptables -A OUTPUT -p udp -m udp --dport 500 -j ACCEPT
>> iptables -t nat -I POSTROUTING 1 -p esp -j ACCEPT
>> iptables -t nat -I POSTROUTING 2 -s 192.168.1.0/24 -d 172.20.0.0/16 -j ACCEPT
>> iptables -I FORWARD 3 -i eth2 -o ppp0 -j ACCEPT
>> iptables -I FORWARD 4 -i eth2 -o eth0 -j ACCEPT
>> iptables -I FORWARD 5 -i ppp0 -o eth2 -j ACCEPT
>> iptables -I FORWARD 6 -i eth0 -o eth2 -j ACCEPT
>>
>> please Note: the rules for the nat table should be added before the MASQUERADE rule, if any. hence the numbers 1 and 2.
>>
>> The basic reason i think is that the packets aren't getting forwarded across the wan to lan interfaces and vice-versa, once the ipsec tunnel is up.
>>
>> 1. you can try only ipsec first by disabling firewall completely
>> 2. next enable the existing firewall rules and ipsec and see where its getting dropped. also try to add some the rules mentioned above.
>>
>> i think it should work if 1 above works
>>
>> -rajiv
>>
>>
>>
>> On Mon, Sep 26, 2011 at 8:08 PM, Andrea Nottoli <andreanottoli at gmail.com> wrote:
>> Hi everybody and sorry for my really bad english.
>>
>> i've a problem with StrongSwan on latest OpenWRT firmware.
>> I followed the tutorial on the wiki for setting-up a vpn server for connect to my home lan trough my iphone and ipad (so IKEv1 and PureIPSec).
>> I can connect and login (x509 cert) but i cant pin't my lan machine (es. my NAS).
>> Seems iptables block navigation from wan to lan also during pure ipsec connection.
>>
>> OpenWRT router ip: 192.168.1.254
>> Connection to internet: pppoe trough adsl modem
>>
>>
>> I've opened esp proto, 500 udp, 4500 udp, ah proto and added some policies for forward ipsec traffics but seems that isn't enough (check bottom).
>>
>>
>> Someone can help me? Thanks since now strongswan team!
>>
>>
>>
>>
>> This is my ipsec.conf
>>
>> config setup
>> strictcrlpolicy=no
>> nat_traversal=yes
>> charonstart=yes
>>
>> conn ios
>> keyexchange=ikev1
>> authby=xauthrsasig
>> xauth=server
>> leftfirewall=yes
>> left=%defaultroute
>> leftsubnet=0.0.0.0/0
>> leftcert=serverCert.pem
>> rightsourceip=192.168.1.25
>> rightsubnet=192.168.1.0/24
>> right=%any
>> rightcert=clientCert.pem
>> pfs=no
>> auto=add
>>
>>
>>
>>
>>
>> this is my firewall.users (a text file for custom rules loaded during firewall start from OpenWRT):
>>
>> /usr/sbin/iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
>> /usr/sbin/iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
>> /usr/sbin/iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
>> /usr/sbin/iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
>>
>>
>>
>>
>> this is my firewall.conf (the base file loaded fro firewall configuration every start, after this openwrt load the firewall.users script):
>> config 'defaults'
>> option 'syn_flood' '1'
>> option 'input' 'ACCEPT'
>> option 'output' 'ACCEPT'
>> option 'drop_invalid' '1'
>> option 'forward' 'ACCEPT'
>>
>> config 'zone'
>> option 'name' 'lan'
>> option 'network' 'lan'
>> option 'input' 'ACCEPT'
>> option 'output' 'ACCEPT'
>> option 'forward' 'REJECT'
>>
>> config 'zone'
>> option 'name' 'wan'
>> option 'network' 'wan'
>> option 'output' 'ACCEPT'
>> option 'mtu_fix' '1'
>> option 'masq' '1'
>> option 'input' 'REJECT'
>> option 'forward' 'REJECT'
>>
>> config 'rule'
>> option 'src' 'wan'
>> option 'proto' 'udp'
>> option 'dest_port' '68'
>> option 'target' 'ACCEPT'
>> option 'family' 'ipv4'
>>
>> config 'rule'
>> option 'src' 'wan'
>> option 'proto' 'icmp'
>> option 'icmp_type' 'echo-request'
>> option 'target' 'ACCEPT'
>>
>> config 'include'
>> option 'path' '/etc/firewall.user'
>>
>> config 'forwarding'
>> option 'dest' 'wan'
>> option 'src' 'lan'
>>
>> config 'redirect'
>> option '_name' 'qBittorrent verso nas'
>> option 'src' 'wan'
>> option 'proto' 'tcp'
>> option 'src_dport' '6881'
>> option 'dest_ip' '192.168.1.1'
>> option 'dest_port' '6881'
>> option 'target' 'DNAT'
>> option 'dest' 'lan'
>>
>> config 'rule'
>> option 'target' 'ACCEPT'
>> option '_name' 'PPPTP VPN'
>> option 'src' 'wan'
>> option 'proto' 'udp'
>> option 'dest_port' '1723'
>>
>> config 'rule'
>> option 'target' 'ACCEPT'
>> option '_name' 'accetta esp'
>> option 'src' 'wan'
>> option 'proto' 'esp'
>>
>> config 'rule'
>> option 'target' 'ACCEPT'
>> option '_name' 'accetta ike'
>> option 'src' 'wan'
>> option 'proto' 'udp'
>> option 'dest_port' '500'
>>
>> config 'rule'
>> option 'target' 'ACCEPT'
>> option '_name' 'accetta nat-t'
>> option 'src' 'wan'
>> option 'proto' 'udp'
>> option 'dest_port' '4500'
>>
>> config 'rule'
>> option 'target' 'ACCEPT'
>> option '_name' 'accetta ah'
>> option 'src' 'wan'
>> option 'proto' 'ah'
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
> <C1K-EVM - IPSec with NAPT.png>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111007/dd76ed80/attachment.html>
More information about the Users
mailing list