[strongSwan] Strongswan VPN on OpenWRT not routing packets
Greg Pagendam-Turner
greg at liftyourgame.com
Tue May 14 00:21:44 CEST 2013
Mirko,
So I suppose from ispec statusall:
ios{2}: AES_CBC_256/HMAC_SHA1_96, 11467 bytes_i (7s ago), 0
bytes_o, rekeying disabled
It shows bytes are coming in but not going out over the vpn.
It don't appear to have a zone_wan_nat on my OpenWrt device.
Greg
On 14/05/13 1:02 AM, Mirko Parthey wrote:
> On Mon, May 13, 2013 at 09:03:57AM +1000, Greg Pagendam-Turner wrote:
>> I'm running Barrier Breaker version of OpenWRT and I have setup a VPN according
>> to:http://wiki.openwrt.org/inbox/strongswan.howto I can connect to the VPN with
>> my iPhone or Mac (to 10.10.1.0/24 network). I can also connect from Windows 7.
>> An IP is allocated to the client successfully using DHCP.
>> Once connected I can't access anything on the network. /etc/firewall.user
>> contains:
>>
>> iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
>> iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
>> iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
>> iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
>>
>> Any ideas on why packets are not being routed over the vpn?
> The "ipsec statusall" command shows byte and packet counters.
> This way you can check if any traffic has been processed by IPsec at all.
>
>> Could this be a NAT thing?
> Yes, you may have to exempt the VPN traffic from NAT processing.
> My setup for a net-to-net scenario on Attitude Adjustment includes these rules:
>
> iptables -t nat -I zone_wan_nat 1 -m policy --pol ipsec --dir out --mode tunnel -j RETURN
> iptables -t nat -I zone_wan_prerouting 1 -m policy --pol ipsec --dir in --mode tunnel -j RETURN
>
> Regards,
> Mirko
--
More information about the Users
mailing list