[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs

Luka Lukapple80 at gmail.com
Thu Nov 7 07:54:52 CET 2013 

Hi.
I've successfully installed StrongSwan 5.0.4 IPsec server on my Asus
RT-AC66U Firmware:3.0.0.4.374.34_2 (Merlin build), followed tutorial on:
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
I'm trying to achieve this(diagram):
https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png

I can connect to vpn server with my iPhone, using Cisco IPsec, but problem
is that* I can't access any of my home LAN IPs*.
Here is strongswan log file(removed IPs):
https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswancharon.log

Router firewall is temporary disabled.
I probably need to add some iptables routes or something ?

Can someone tell me what should I put for left/right subnet and left/right
ip ?
Here is my config:
Ipsec.conf file:

conn ios
       keyexchange=ikev1
       authby=xauthrsasig
       xauth=server
       left=%defaultroute
       #left=%any
       leftfirewall=yes
       leftsubnet=0.0.0.0/0
       #leftsubnet=192.168.2.0/24
       leftcert=server.pem
       right=%any
       rightsubnet=10.0.0.0/24
       #rightsubnet=192.168.2.0/24
       rightsourceip=10.0.0.2
       #rightsourceip=%dhcp
       rightcert=client.pem
       #forceencaps=yes
       auto=add


strongswan.conf file:

charon {

        # number of worker threads in charon
        threads = 16

        dns1 = 192.168.2.1

        plugins {
                dhcp {
                      server = 192.168.2.1
                }

        }
 }



ipsec statusall command:

ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
  uptime: 27 minutes, since Nov 06 22:32:15 2013
  malloc: sbrk 225280, mmap 0, used 201584, free 23696
  worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0,
scheduled: 5
  loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11
aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf
gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips
kernel-netlink resolve socket-default socket-dynamic farp stroke smp
updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic
xauth-eap dhcp whitelist led duplicheck addrblock unity
Virtual IP pools (size/online/offline):
  10.0.0.2: 1/1/0
Listening IP addresses:
  <wan.ip.removed>
  192.168.2.1
  10.8.2.1
  10.8.0.6
Connections:
         ios:  %any...%any  IKEv1
         ios:   local:  [C=CA,... <removed>] uses public key authentication
         ios:    cert:  "C=CA,... <removed>"
         ios:   remote: [C=CA, ... <removed>] uses public key authentication
         ios:    cert:  "C=CA,... <removed>"
         ios:   remote: uses XAuth authentication: any
         ios:   child:  0.0.0.0/0 === 10.0.0.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
         ios[4]: ESTABLISHED 23 seconds ago, <wan.ip.removed>[C=CA,...
<removed>]...<iphone.wan.ip.removed>[C=CA,... <removed>]
         ios[4]: Remote XAuth identity: <removed>
         ios[4]: IKEv1 SPIs: 884d6e82b7e59a56_i a4cea15bd0aeff20_r*,
public key reauthentication in 2 hours
         ios[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
         ios{2}:  INSTALLED, TUNNEL, ESP SPIs: c5177fea_i 070a1d6b_o
         ios{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 45 minutes
         ios{2}:   0.0.0.0/0 === 10.0.0.2/32


Some more info:


iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1194
VSERVER    all  --  anywhere             cpe-86-<removed>

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.2.0/24       anywhere
MASQUERADE  all  -- !cpe-86-<removed>  anywhere
MASQUERADE  all  --  anywhere             anywhere            MARK match 0xd001

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain LOCALSRV (0 references)
target     prot opt source               destination

Chain VSERVER (1 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp
dpt:1184 to:192.168.2.100:1194
DNAT       udp  --  anywhere             anywhere            udp
dpt:1184 to:192.168.2.100:1194
VUPNP      all  --  anywhere             anywhere

Chain VUPNP (1 references)
target     prot opt source               destination

Chain YADNS (0 references)
target     prot opt source               destination



netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.5        *               255.255.255.255 UH        0 0          0 tun11
10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0 tun11
10.8.2.2        *               255.255.255.255 UH        0 0          0 tun21
86.58.119.1     *               255.255.255.255 UH        0 0          0 eth0
86.58.119.0     *               255.255.255.0   U         0 0          0 eth0
10.8.2.0        10.8.2.2        255.255.255.0   UG        0 0          0 tun21
192.168.2.0     *               255.255.255.0   U         0 0          0 br0
192.168.1.0     10.8.0.5        255.255.255.0   UG        0 0          0 tun11
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
default         <removed> 0.0.0.0         UG        0 0          0 eth0


(ignore that tunnel to 192.168.1.0)

What should I do to make that tunnel work ?

Regards.

Luka
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131107/cd22b547/attachment.html>

More information about the Users mailing list