[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs

Thu Nov 7 08:04:54 CET 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Luka,

See http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling For solutions to this problem.

Regards
Noel Kuntze

Am 07.11.2013 07:54, schrieb Luka:
> Hi.
> I've successfully installed StrongSwan 5.0.4 IPsec server on my Asus RT-AC66U Firmware:3.0.0.4.374.34_2 (Merlin build), followed tutorial on:
> http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
> I'm trying to achieve this(diagram):
> https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png
> 
> I can connect to vpn server with my iPhone, using Cisco IPsec, but problem is that*I can't access any of my home LAN IPs*.
> Here is strongswan log file(removed IPs):
> https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswancharon.log
> 
> Router firewall is temporary disabled.
> I probably need to add some iptables routes or something ?
> 
> Can someone tell me what should I put for left/right subnet and left/right ip ?
> Here is my config:
> Ipsec.conf file:
> 
> conn ios                                              
>        keyexchange=ikev1                              
>        authby=xauthrsasig                             
>        xauth=server                                   
>        left=%defaultroute                             
>        #left=%any                                     
>        leftfirewall=yes                               
>        leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>                           
>        #leftsubnet=192.168.2.0/24 <http://192.168.2.0/24>                     
>        leftcert=server.pem                    
>        right=%any                                     
>        rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>                        
>        #rightsubnet=192.168.2.0/24 <http://192.168.2.0/24>                    
>        rightsourceip=10.0.0.2                         
>        #rightsourceip=%dhcp                           
>        rightcert=client.pem                   
>        #forceencaps=yes                               
>        auto=add
> 
> 
> strongswan.conf file:
> 
> charon {
> 
>         # number of worker threads in charon
>         threads = 16
> 
>         dns1 = 192.168.2.1
> 
>         plugins {
>                 dhcp {
>                       server = 192.168.2.1
>                 }
> 
>         }
>  }
> 
> 
> 
> ipsec statusall command:
> 
> ipsec statusall
> Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
>   uptime: 27 minutes, since Nov 06 22:32:15 2013
>   malloc: sbrk 225280, mmap 0, used 201584, free 23696
>   worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 5
>   loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
> Virtual IP pools (size/online/offline):
>   10.0.0.2 <http://10.0.0.2>: 1/1/0
> Listening IP addresses:
>   <wan.ip.removed>
>   192.168.2.1
>   10.8.2.1
>   10.8.0.6
> Connections:
>          ios:  %any...%any  IKEv1
>          ios:   local:  [C=CA,... <removed>] uses public key authentication
>          ios:    cert:  "C=CA,... <removed>"
>          ios:   remote: [C=CA, ... <removed>] uses public key authentication
>          ios:    cert:  "C=CA,... <removed>"
>          ios:   remote: uses XAuth authentication: any
>          ios:   child:  0.0.0.0/0 <http://0.0.0.0/0> === 10.0.0.0/24 <http://10.0.0.0/24> TUNNEL
> Security Associations (1 up, 0 connecting):
>          ios[4]: ESTABLISHED 23 seconds ago, <wan.ip.removed>[C=CA,... <removed>]...<iphone.wan.ip.removed>[C=CA,... <removed>]
>          ios[4]: Remote XAuth identity: <removed>
>          ios[4]: IKEv1 SPIs: 884d6e82b7e59a56_i a4cea15bd0aeff20_r*, public key reauthentication in 2 hours
>          ios[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>          ios{2}:  INSTALLED, TUNNEL, ESP SPIs: c5177fea_i 070a1d6b_o
>          ios{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes
>          ios{2}:   0.0.0.0/0 <http://0.0.0.0/0> === 10.0.0.2/32 <http://10.0.0.2/32>
> 
> 
> Some more info:
> 
> 
> iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination         
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1194 
> VSERVER    all  --  anywhere             cpe-86-<removed>
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination         
> MASQUERADE  all  --  192.168.2.0/24 <http://192.168.2.0/24>       anywhere            
> MASQUERADE  all  -- !cpe-86-<removed>  anywhere            
> MASQUERADE  all  --  anywhere             anywhere            MARK match 0xd001 
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain LOCALSRV (0 references)
> target     prot opt source               destination         
> 
> Chain VSERVER (1 references)
> target     prot opt source               destination         
> DNAT       tcp  --  anywhere             anywhere            tcp dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194> 
> DNAT       udp  --  anywhere             anywhere            udp dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194> 
> VUPNP      all  --  anywhere             anywhere            
> 
> Chain VUPNP (1 references)
> target     prot opt source               destination         
> 
> Chain YADNS (0 references)
> target     prot opt source               destination
> 
> 
> 
> netstat -r
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 10.8.0.5        *               255.255.255.255 UH        0 0          0 tun11
> 10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0 tun11
> 10.8.2.2        *               255.255.255.255 UH        0 0          0 tun21
> 86.58.119.1     *               255.255.255.255 UH        0 0          0 eth0
> 86.58.119.0     *               255.255.255.0   U         0 0          0 eth0
> 10.8.2.0        10.8.2.2        255.255.255.0   UG        0 0          0 tun21
> 192.168.2.0     *               255.255.255.0   U         0 0          0 br0
> 192.168.1.0     10.8.0.5        255.255.255.0   UG        0 0          0 tun11
> 127.0.0.0       *               255.0.0.0       U         0 0          0 lo
> default         <removed> 0.0.0.0         UG        0 0          0 eth0
> 
> 
> (ignore that tunnel to 192.168.1.0)
> 
> What should I do to make that tunnel work ?
> 
> Regards.
> 
> Luka
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSezuWAAoJEDg5KY9j7GZYIlQP/jOYYLtuYAemzYH0pyzZimbo
No3Td9nhGbpi2QPBm6W7cBa3qo/xikaH80RRjG07raDVKJdxhQKjf/hYNG3daF3C
HTBZuaMBU8afwumQpknLprhapec+FZ5uNc4KE1OL4CObTQlv/ZBcFBvwIitGfJKX
tHcR54FEC8ElrzRrqjLItx+1oEr47AFa8yj1/AJV3c8T08vgqAJbOoTpThuJweF7
8pbJcnDUwf3c4Xm+GKKI5lK3H5B4MF6ybhTn4EWNKy7IEe9tn3M0PuWTabyQ5W0h
StiAVWS1U0GVT22eGTLIAAJ6izm6XH4KC5vvlZlS3y0wdyYrrupiNwgegFVd2gMS
Om3WeG5KVEHpl9WqUO5cBKBHFQlrvL5pxcRP0rTmncGBNUKYNc28HiTpQZQZne/1
BLcIdCChJZCKn6ncVLibhYdFSxag0KKiAmlD26rzGR2V7AYzbr0zRBvTGhbvI8du
0S1xfIpXv56tGt3DBxD1s4/VGbhSpFlOEkqDQqzMPtAeUjNjjK/PeX2qSs0kJYGU
LDpkI815MQFtnIdQ7Wy79UzmnK2Q/2Bpy5+ckOZPzbkRuSizYYcKhgD2Kmdd4EWp
rneKSob9OgtE7Q8cAtauJgJRLBrDHVuvg0Zc5d2sVc0dkxFwzcs7dtWJQnD5qDU4
x1mkt92ogJMXnEy7D6eo
=TCnj
-----END PGP SIGNATURE-----