[strongSwan] pure ipsec openwrt

Mon Sep 26 16:38:51 CEST 2011

Hi everybody and sorry for my really bad english.

i've a problem with StrongSwan on latest OpenWRT firmware.
I followed the tutorial on the wiki for setting-up a vpn server for connect to my home lan trough my iphone and ipad (so IKEv1 and PureIPSec).
I can connect and login (x509 cert) but i cant pin't my lan machine (es. my NAS).
Seems iptables block navigation from wan to lan also during pure ipsec connection.

OpenWRT router ip: 192.168.1.254
Connection to internet: pppoe trough adsl modem

I've opened esp proto, 500 udp, 4500 udp, ah proto and added some policies for forward ipsec traffics but seems that isn't enough (check bottom).

Someone can help me? Thanks since now strongswan team!

This is my ipsec.conf

config setup
        strictcrlpolicy=no
        nat_traversal=yes
        charonstart=yes

conn ios     
       keyexchange=ikev1
       authby=xauthrsasig
       xauth=server
       leftfirewall=yes
       left=%defaultroute
       leftsubnet=0.0.0.0/0
       leftcert=serverCert.pem
       rightsourceip=192.168.1.25
       rightsubnet=192.168.1.0/24
       right=%any
       rightcert=clientCert.pem
       pfs=no
       auto=add

this is my firewall.users (a text file for custom rules loaded during firewall start from OpenWRT):

/usr/sbin/iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
/usr/sbin/iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
/usr/sbin/iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
/usr/sbin/iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT

this is my firewall.conf (the base file loaded fro firewall configuration every start, after this openwrt load the firewall.users script):
config 'defaults'
	option 'syn_flood' '1'
	option 'input' 'ACCEPT'
	option 'output' 'ACCEPT'
	option 'drop_invalid' '1'
	option 'forward' 'ACCEPT'

config 'zone'
	option 'name' 'lan'
	option 'network' 'lan'
	option 'input' 'ACCEPT'
	option 'output' 'ACCEPT'
	option 'forward' 'REJECT'

config 'zone'
	option 'name' 'wan'
	option 'network' 'wan'
	option 'output' 'ACCEPT'
	option 'mtu_fix' '1'
	option 'masq' '1'
	option 'input' 'REJECT'
	option 'forward' 'REJECT'

config 'rule'
	option 'src' 'wan'
	option 'proto' 'udp'
	option 'dest_port' '68'
	option 'target' 'ACCEPT'
	option 'family' 'ipv4'

config 'rule'
	option 'src' 'wan'
	option 'proto' 'icmp'
	option 'icmp_type' 'echo-request'
	option 'target' 'ACCEPT'

config 'include'
	option 'path' '/etc/firewall.user'

config 'forwarding'
	option 'dest' 'wan'
	option 'src' 'lan'

config 'redirect'
	option '_name' 'qBittorrent verso nas'
	option 'src' 'wan'
	option 'proto' 'tcp'
	option 'src_dport' '6881'
	option 'dest_ip' '192.168.1.1'
	option 'dest_port' '6881'
	option 'target' 'DNAT'
	option 'dest' 'lan'

config 'rule'
	option 'target' 'ACCEPT'
	option '_name' 'PPPTP VPN'
	option 'src' 'wan'
	option 'proto' 'udp'
	option 'dest_port' '1723'

config 'rule'
	option 'target' 'ACCEPT'
	option '_name' 'accetta esp'
	option 'src' 'wan'
	option 'proto' 'esp'

config 'rule'
	option 'target' 'ACCEPT'
	option '_name' 'accetta ike'
	option 'src' 'wan'
	option 'proto' 'udp'
	option 'dest_port' '500'

config 'rule'
	option 'target' 'ACCEPT'
	option '_name' 'accetta nat-t'
	option 'src' 'wan'
	option 'proto' 'udp'
	option 'dest_port' '4500'

config 'rule'
	option 'target' 'ACCEPT'
	option '_name' 'accetta ah'
	option 'src' 'wan'
	option 'proto' 'ah'