[strongSwan] Strongswan VPN on OpenWRT not routing packets

Greg Pagendam-Turner greg at liftyourgame.com
Mon May 13 01:03:57 CEST 2013


Hi

I'm running Barrier Breaker version of OpenWRT and I have setup a VPN 
according to:http://wiki.openwrt.org/inbox/strongswan.howtoI can connect 
to the VPN with my iPhone or Mac (to 10.10.1.0/24 network). I can also 
connect from Windows 7. An IP is allocated to the client successfully 
using DHCP.
Once connected I can't access anything on the network. 
/etc/firewall.user contains:

|# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT
# Enable ssh and HTTP to router
iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT 1 -p tcp --sport 22 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT 1 -p tcp --sport 80 -j ACCEPT
|

/etc/ipsec.conf contains:

|# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
     # strictcrlpolicy=yes
     # uniqueids = no
conn ios
     keyexchange=ikev1
     authby=xauthrsasig
     xauth=server
     left=%any
     leftsubnet=0.0.0.0/0
     leftfirewall=yes
     leftcert=serverCert.pem
     right=%any
     rightsubnet=10.10.1.0/24
     rightsourceip=%dhcp
     rightcert=clientCert.pem
     forceencaps=yes
     auto=add

conn %default
     keyexchange=ikev2
     ike=aes256-sha1-modp1024!
     esp=aes256-sha1!
     dpdaction=clear
     dpddelay=300s
     rekey=no
conn win7
     left=%any
     leftsubnet=0.0.0.0/0
     leftauth=pubkey
     leftcert=serverCert.pem
     leftid=@xxx.yyy.com
     leftfirewall=yes
     right=%any
     rightauth=eap-mschapv2
     rightsendcert=never
     rightsubnet=10.10.1.0/24
     rightsourceip=%dhcp
     eap_identity=%any
     auto=add
|

(The real domain name of the router has been replaced above with 
xxx.yyy.com).

/etc/strongswan.conf contains:

|# strongswan.conf - strongSwan configuration file
charon {
     dns1 = 10.10.1.1
     # number of worker threads in charon
     threads = 16
     # send strongswan vendor ID?
     # send_vendor_id = yes
     plugins {
             dhcp {
                     server = 10.10.1.1
             }
             sql {
                     # loglevel to log into sql database
                     loglevel = -1

                     # URI to the database
                     # database = sqlite:///path/to/file.db
                     # database = mysql://user:password@localhost/database
             }
     }

     # ...
}

pluto {

}

libstrongswan {

     #  set to no, the DH exponent size is optimized
     #  dh_exponent_ansi_x9_42 = no
}
|

When I connect with both Windows 7 and also iPhone ipsec status on 
router shows:

|Security Associations (2 up, 0 connecting):
      ios[5]: ESTABLISHED 4 seconds ago, xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=xxx.xxx.com]...xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=client]
      ios{5}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c8618e27_i 0923f471_o
      ios{5}:   0.0.0.0/0 === 10.10.1.89/32
     win7[4]: ESTABLISHED 45 seconds ago, xxx.xxx.xxx.xxx[xxx.xxx.com]...xxx.xxx.xxx[192.168.191.131]
     win7{4}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cae3b4a6_i 67f3eaf0_o
     win7{4}:   0.0.0.0/0 === 10.10.1.0/24
|

(Sensitive ips and domain names replaced with xxx)

Any ideas on why packets are not being routed over the vpn?

Could this be a NAT thing?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130513/c809529a/attachment.html>


More information about the Users mailing list