[strongSwan] (VPNServer == <NAT> === router ==== internet === VPN Client ) getting failed / not able to establish the connection.

ramakanth varala ramakanth.varala at gmail.com
Sat Dec 8 19:05:55 CET 2012


Hello all,

I could able to get them working changes were in the ipsec.conf , ipsec.psk
and ipsec.secrets.

I have a generic questions related to Strongswan and IPtables.

Iam using the "*Linux strongSwan U4.6.1/K2.6.39" *version.


following are my queries.

First :
=====
My Strongswan is running behind a router.

My box where strongswan server currently running does not have any iptables
as such now.
Currently iam Using a DNAT for 4500 , 500 ports in PREROUTING and SNAT for
4500 , 500 ports in POSTROUTING chains of nat table on my router.

Do i need to have any other rules to be applied here on my router apart
from these?

Any rules like below.. do i need to apply on to my router ..?

Here 192.168.1.0/24 is my LAN Subnet and 10.10.15.8 is my WAN IP.


-A INPUT -s 192.168.1.0/24 -i eth4 -m mark --mark 0x8/0x8 -j ACCEPT

-A INPUT -s 10.10.15.8/32 -i eth4 -p ipv6-crypt -j ACCEPT

2) Do we have any provision of applying the iptables rules on to my router
through strongswan configuraiton ?


3) Any specific precations i need to take in my case..?


Your comments would be highly appreciated and would help me immensely.

Thanks and Regards
Rama Kanth









On Wed, Dec 5, 2012 at 12:23 AM, ramakanth varala <
ramakanth.varala at gmail.com> wrote:

> Hello all,
>
> Iam bit new to IPSec VPN and trying to figure it out how can run this
> VPNServer on my dual core board.
>
> First board is ARM with 10.10.16.8  (WAN) as its interface second
> interface on same board 192.168.1.1
> Second board is ATOM runnig on 192.168.1.254 .
>
> Running VPN Server in ATOM and kept a DNAT at ARM using Iptable rules to
> follow all packets 10.10.16.8:500 and 10.10.16.8:4500 to 192.168.1.254:500and
> 192.168.1.254:4500
>
> here is a typical block diagram with ip's.
>
> Here all ips can ping each other.
>
> router (10.90.200.1)  ======= dual core board ( Wan board  10.10.15.8  |
> Lan board 192.168.1.254)
> ||
> ||=============== LAN PC (10.90.200.2)
>
>
> my ipsec.conf is like below
>
> # cat /var/etc/ipsec/ipsec.conf
> config setup
>         charonstart=no
>         plutodebug=all
>         plutostderrlog=/var/pluto.txt
>         nat_traversal=yes
> conn %default
>         ikelifetime=10m
>         keylife=10m
>         rekeymargin=500s
>         rekeyfuzz=0%
>         keyingtries=1
>         keyexchange=ikev1
> conn host-host
>         right=10.90.200.2
>         xauth=server
>         left=%defaultroute
>         leftid=10.10.15.8
>         leftsubnet=192.168.1.1/24
>         forceencaps=yes
>         leftfirewall=yes
>         rightsourceip=10.90.200.1/24
>         auto=add
>         modeconfig=push
>         authby=xauthpsk
>
>
> The error i see at /var/pluto.txt is like below when i initiate a
> connection from Remote IPSec Client at LAN PC
>
> *| peer:  0a 5a c8 02
> | state hash entry 27
> | state object not found
> packet from 10.90.200.2:4500: Quick Mode message is for a non-existent
> (expired?
> | next event EVENT_REINIT_SECRET in 3397 seconds*
> **
> **
> Can you please guide me where am i going wrong.
>
> Your help would be highly appreciated.
>
> --RamaKanth
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121208/3bd17d3c/attachment.html>


More information about the Users mailing list