[strongSwan] Strongswan VPN on OpenWRT not routing packets

Greg Pagendam-Turner greg at liftyourgame.com
Tue May 14 00:21:44 CEST 2013


Mirko,

So I suppose from ispec statusall:
          ios{2}:  AES_CBC_256/HMAC_SHA1_96, 11467 bytes_i (7s ago), 0 
bytes_o, rekeying disabled

It shows bytes are coming in but not going out over the vpn.

It don't appear to have a zone_wan_nat on my OpenWrt device.

Greg


On 14/05/13 1:02 AM, Mirko Parthey wrote:
> On Mon, May 13, 2013 at 09:03:57AM +1000, Greg Pagendam-Turner wrote:
>> I'm running Barrier Breaker version of OpenWRT and I have setup a VPN according
>> to:http://wiki.openwrt.org/inbox/strongswan.howto I can connect to the VPN with
>> my iPhone or Mac (to 10.10.1.0/24 network). I can also connect from Windows 7.
>> An IP is allocated to the client successfully using DHCP.
>> Once connected I can't access anything on the network. /etc/firewall.user
>> contains:
>>
>> iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
>> iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
>> iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
>> iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT
>>
>> Any ideas on why packets are not being routed over the vpn?
> The "ipsec statusall" command shows byte and packet counters.
> This way you can check if any traffic has been processed by IPsec at all.
>
>> Could this be a NAT thing?
> Yes, you may have to exempt the VPN traffic from NAT processing.
> My setup for a net-to-net scenario on Attitude Adjustment includes these rules:
>
> iptables -t nat -I zone_wan_nat 1 -m policy --pol ipsec --dir out --mode tunnel -j RETURN
> iptables -t nat -I zone_wan_prerouting 1 -m policy --pol ipsec --dir in --mode tunnel -j RETURN
>
> Regards,
> Mirko


-- 





More information about the Users mailing list