[strongSwan] Strongswan VPN on OpenWRT not routing packets
Greg Pagendam-Turner
greg at liftyourgame.com
Mon May 13 01:03:57 CEST 2013
Hi
I'm running Barrier Breaker version of OpenWRT and I have setup a VPN
according to:http://wiki.openwrt.org/inbox/strongswan.howtoI can connect
to the VPN with my iPhone or Mac (to 10.10.1.0/24 network). I can also
connect from Windows 7. An IP is allocated to the client successfully
using DHCP.
Once connected I can't access anything on the network.
/etc/firewall.user contains:
|# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
# Enable ssh and HTTP to router
iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT 1 -p tcp --sport 22 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT 1 -p tcp --sport 80 -j ACCEPT
|
/etc/ipsec.conf contains:
|# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%any
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=%any
rightsubnet=10.10.1.0/24
rightsourceip=%dhcp
rightcert=clientCert.pem
forceencaps=yes
auto=add
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
conn win7
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=serverCert.pem
leftid=@xxx.yyy.com
leftfirewall=yes
right=%any
rightauth=eap-mschapv2
rightsendcert=never
rightsubnet=10.10.1.0/24
rightsourceip=%dhcp
eap_identity=%any
auto=add
|
(The real domain name of the router has been replaced above with
xxx.yyy.com).
/etc/strongswan.conf contains:
|# strongswan.conf - strongSwan configuration file
charon {
dns1 = 10.10.1.1
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
dhcp {
server = 10.10.1.1
}
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
|
When I connect with both Windows 7 and also iPhone ipsec status on
router shows:
|Security Associations (2 up, 0 connecting):
ios[5]: ESTABLISHED 4 seconds ago, xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=xxx.xxx.com]...xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=client]
ios{5}: INSTALLED, TUNNEL, ESP in UDP SPIs: c8618e27_i 0923f471_o
ios{5}: 0.0.0.0/0 === 10.10.1.89/32
win7[4]: ESTABLISHED 45 seconds ago, xxx.xxx.xxx.xxx[xxx.xxx.com]...xxx.xxx.xxx[192.168.191.131]
win7{4}: INSTALLED, TUNNEL, ESP in UDP SPIs: cae3b4a6_i 67f3eaf0_o
win7{4}: 0.0.0.0/0 === 10.10.1.0/24
|
(Sensitive ips and domain names replaced with xxx)
Any ideas on why packets are not being routed over the vpn?
Could this be a NAT thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130513/c809529a/attachment.html>
More information about the Users
mailing list