[strongSwan] pure ipsec openwrt

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue Sep 27 09:47:41 CEST 2011 

Hi

Assuming that you have NAT (MASQUERADE) enabled on wan (say eth0 interface)
of your home router (with a pppoe connection to internet) and the LAN
interface is identified as eth2, then i would request you to please try out
the below iptable rules also:

iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p esp -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -t nat -I POSTROUTING 1 -p esp -j ACCEPT
iptables -t nat -I POSTROUTING 2 -s 192.168.1.0/24 -d 172.20.0.0/16 -j
ACCEPT
iptables -I FORWARD 3 -i eth2 -o ppp0 -j ACCEPT
iptables -I FORWARD 4 -i eth2 -o eth0 -j ACCEPT
iptables -I FORWARD 5 -i ppp0 -o eth2 -j ACCEPT
iptables -I FORWARD 6 -i eth0 -o eth2 -j ACCEPT

please Note: the rules for the nat table should be added before the
MASQUERADE rule, if any. hence the numbers 1 and 2.

The basic reason i think is that the packets aren't getting forwarded across
the wan to lan interfaces and vice-versa, once the ipsec tunnel is up.

1. you can try only ipsec first by disabling firewall completely
2. next enable the existing firewall rules and ipsec and see where its
getting dropped. also try to add some the rules mentioned above.

i think it should work if 1 above works

-rajiv



On Mon, Sep 26, 2011 at 8:08 PM, Andrea Nottoli <andreanottoli at gmail.com>wrote:

> Hi everybody and sorry for my really bad english.
>
> i've a problem with StrongSwan on latest OpenWRT firmware.
> I followed the tutorial on the wiki for setting-up a vpn server for connect
> to my home lan trough my iphone and ipad (so IKEv1 and PureIPSec).
> I can connect and login (x509 cert) but i cant pin't my lan machine (es. my
> NAS).
> Seems iptables block navigation from wan to lan also during pure ipsec
> connection.
>
> OpenWRT router ip: 192.168.1.254
> Connection to internet: pppoe trough adsl modem
>
>
> I've opened esp proto, 500 udp, 4500 udp, ah proto and added some policies
> for forward ipsec traffics but seems that isn't enough (check bottom).
>
>
> Someone can help me? Thanks since now strongswan team!
>
>
>
>
> This is my ipsec.conf
>
> config setup
>        strictcrlpolicy=no
>        nat_traversal=yes
>        charonstart=yes
>
> conn ios
>       keyexchange=ikev1
>       authby=xauthrsasig
>       xauth=server
>       leftfirewall=yes
>       left=%defaultroute
>       leftsubnet=0.0.0.0/0
>       leftcert=serverCert.pem
>       rightsourceip=192.168.1.25
>       rightsubnet=192.168.1.0/24
>       right=%any
>       rightcert=clientCert.pem
>       pfs=no
>       auto=add
>
>
>
>
>
> this is my firewall.users (a text file for custom rules loaded during
> firewall start from OpenWRT):
>
> /usr/sbin/iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j
> ACCEPT
> /usr/sbin/iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j
> ACCEPT
> /usr/sbin/iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp
> -j ACCEPT
> /usr/sbin/iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j
> ACCEPT
>
>
>
>
> this is my firewall.conf (the base file loaded fro firewall configuration
> every start, after this openwrt load the firewall.users script):
> config 'defaults'
>        option 'syn_flood' '1'
>        option 'input' 'ACCEPT'
>        option 'output' 'ACCEPT'
>        option 'drop_invalid' '1'
>        option 'forward' 'ACCEPT'
>
> config 'zone'
>        option 'name' 'lan'
>        option 'network' 'lan'
>        option 'input' 'ACCEPT'
>        option 'output' 'ACCEPT'
>        option 'forward' 'REJECT'
>
> config 'zone'
>        option 'name' 'wan'
>        option 'network' 'wan'
>        option 'output' 'ACCEPT'
>        option 'mtu_fix' '1'
>        option 'masq' '1'
>        option 'input' 'REJECT'
>        option 'forward' 'REJECT'
>
> config 'rule'
>        option 'src' 'wan'
>        option 'proto' 'udp'
>        option 'dest_port' '68'
>        option 'target' 'ACCEPT'
>        option 'family' 'ipv4'
>
> config 'rule'
>        option 'src' 'wan'
>        option 'proto' 'icmp'
>        option 'icmp_type' 'echo-request'
>        option 'target' 'ACCEPT'
>
> config 'include'
>        option 'path' '/etc/firewall.user'
>
> config 'forwarding'
>        option 'dest' 'wan'
>        option 'src' 'lan'
>
> config 'redirect'
>        option '_name' 'qBittorrent verso nas'
>        option 'src' 'wan'
>        option 'proto' 'tcp'
>        option 'src_dport' '6881'
>        option 'dest_ip' '192.168.1.1'
>        option 'dest_port' '6881'
>        option 'target' 'DNAT'
>        option 'dest' 'lan'
>
> config 'rule'
>        option 'target' 'ACCEPT'
>        option '_name' 'PPPTP VPN'
>        option 'src' 'wan'
>        option 'proto' 'udp'
>        option 'dest_port' '1723'
>
> config 'rule'
>        option 'target' 'ACCEPT'
>        option '_name' 'accetta esp'
>        option 'src' 'wan'
>        option 'proto' 'esp'
>
> config 'rule'
>        option 'target' 'ACCEPT'
>        option '_name' 'accetta ike'
>        option 'src' 'wan'
>        option 'proto' 'udp'
>        option 'dest_port' '500'
>
> config 'rule'
>        option 'target' 'ACCEPT'
>        option '_name' 'accetta nat-t'
>        option 'src' 'wan'
>        option 'proto' 'udp'
>        option 'dest_port' '4500'
>
> config 'rule'
>        option 'target' 'ACCEPT'
>        option '_name' 'accetta ah'
>        option 'src' 'wan'
>        option 'proto' 'ah'
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110927/f06daf77/attachment.html>

More information about the Users mailing list