[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs

Luka Lukapple80 at gmail.com
Thu Nov 7 09:35:29 CET 2013 

Noel, thanks for hint.
I can't find sysctl command on my router.
But following is probably the same:
cat /proc/sys/net/ipv4/ip_forward
1
(assuming that 1 means enabled)

For accessing Hosts on the LAN I've tried following situation from the link
you've provided:



*The virtual IPs are from the subnet behind the gateway: In this situation
either the dhcp plugin
<http://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin> is used or
the gateway assigns virtual IP addresses from a subnet of the whole LAN
behind the gateway (distinct from the IP addressesassigned via DHCP to
other LAN hosts). If that is the case, the farp plugin
<http://wiki.strongswan.org/projects/strongswan/wiki/Farpplugin> must be
used so that the hosts behind the gateway may learn that they have to send
response packets to the VPN gateway.*

So I've used dhcp to assign ip to client
strongswan.conf:
...
rightsourceip=%dhcp
...
And client(iPhone) got address from the LAN subnet, 192.168.2.24.
Farp plugin is also enabled - I can see it listed on "Loaded plugins:" when
I execute "ipsec statusall" command.
But now I get error on my client(iphone): Negotiation with the VPN server
failed.
And there are some new errors in charon log file:
https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswan_log_1.txt

Nov  7 09:05:46 13[NET] received packet: from
<client.wan.ip.removed>[4500] to <wan.ip.was.removed>[4500] (300
bytes)
Nov  7 09:05:46 13[IKE] received retransmit of request with ID
1882702626, but no response to retransmit

Any idea what's going on ?






On Thu, Nov 7, 2013 at 8:04 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Luka,
>
> See
> http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunnelingFor solutions to this problem.
>
> Regards
> Noel Kuntze
>
> Am 07.11.2013 07:54, schrieb Luka:
> > Hi.
> > I've successfully installed StrongSwan 5.0.4 IPsec server on my Asus
> RT-AC66U Firmware:3.0.0.4.374.34_2 (Merlin build), followed tutorial on:
> > http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
> > I'm trying to achieve this(diagram):
> >
> https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png
> >
> > I can connect to vpn server with my iPhone, using Cisco IPsec, but
> problem is that*I can't access any of my home LAN IPs*.
> > Here is strongswan log file(removed IPs):
> >
> https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswancharon.log
> >
> > Router firewall is temporary disabled.
> > I probably need to add some iptables routes or something ?
> >
> > Can someone tell me what should I put for left/right subnet and
> left/right ip ?
> > Here is my config:
> > Ipsec.conf file:
> >
> > conn ios
> >        keyexchange=ikev1
> >        authby=xauthrsasig
> >        xauth=server
> >        left=%defaultroute
> >        #left=%any
> >        leftfirewall=yes
> >        leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> >        #leftsubnet=192.168.2.0/24 <http://192.168.2.0/24>
> >        leftcert=server.pem
> >        right=%any
> >        rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
> >        #rightsubnet=192.168.2.0/24 <http://192.168.2.0/24>
> >        rightsourceip=10.0.0.2
> >        #rightsourceip=%dhcp
> >        rightcert=client.pem
> >        #forceencaps=yes
> >        auto=add
> >
> >
> > strongswan.conf file:
> >
> > charon {
> >
> >         # number of worker threads in charon
> >         threads = 16
> >
> >         dns1 = 192.168.2.1
> >
> >         plugins {
> >                 dhcp {
> >                       server = 192.168.2.1
> >                 }
> >
> >         }
> >  }
> >
> >
> >
> > ipsec statusall command:
> >
> > ipsec statusall
> > Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
> >   uptime: 27 minutes, since Nov 06 22:32:15 2013
> >   malloc: sbrk 225280, mmap 0, used 201584, free 23696
> >   worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 5
> >   loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes
> des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints
> pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc
> cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve
> socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5
> eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led
> duplicheck addrblock unity
> > Virtual IP pools (size/online/offline):
> >   10.0.0.2 <http://10.0.0.2>: 1/1/0
> > Listening IP addresses:
> >   <wan.ip.removed>
> >   192.168.2.1
> >   10.8.2.1
> >   10.8.0.6
> > Connections:
> >          ios:  %any...%any  IKEv1
> >          ios:   local:  [C=CA,... <removed>] uses public key
> authentication
> >          ios:    cert:  "C=CA,... <removed>"
> >          ios:   remote: [C=CA, ... <removed>] uses public key
> authentication
> >          ios:    cert:  "C=CA,... <removed>"
> >          ios:   remote: uses XAuth authentication: any
> >          ios:   child:  0.0.0.0/0 <http://0.0.0.0/0> === 10.0.0.0/24 <
> http://10.0.0.0/24> TUNNEL
> > Security Associations (1 up, 0 connecting):
> >          ios[4]: ESTABLISHED 23 seconds ago, <wan.ip.removed>[C=CA,...
> <removed>]...<iphone.wan.ip.removed>[C=CA,... <removed>]
> >          ios[4]: Remote XAuth identity: <removed>
> >          ios[4]: IKEv1 SPIs: 884d6e82b7e59a56_i a4cea15bd0aeff20_r*,
> public key reauthentication in 2 hours
> >          ios[4]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> >          ios{2}:  INSTALLED, TUNNEL, ESP SPIs: c5177fea_i 070a1d6b_o
> >          ios{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 45 minutes
> >          ios{2}:   0.0.0.0/0 <http://0.0.0.0/0> === 10.0.0.2/32 <
> http://10.0.0.2/32>
> >
> >
> > Some more info:
> >
> >
> > iptables -L -t nat
> > Chain PREROUTING (policy ACCEPT)
> > target     prot opt source               destination
> > ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1194
> > VSERVER    all  --  anywhere             cpe-86-<removed>
> >
> > Chain POSTROUTING (policy ACCEPT)
> > target     prot opt source               destination
> > MASQUERADE  all  --  192.168.2.0/24 <http://192.168.2.0/24>
> anywhere
> > MASQUERADE  all  -- !cpe-86-<removed>  anywhere
> > MASQUERADE  all  --  anywhere             anywhere            MARK match
> 0xd001
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain LOCALSRV (0 references)
> > target     prot opt source               destination
> >
> > Chain VSERVER (1 references)
> > target     prot opt source               destination
> > DNAT       tcp  --  anywhere             anywhere            tcp
> dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194>
> > DNAT       udp  --  anywhere             anywhere            udp
> dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194>
> > VUPNP      all  --  anywhere             anywhere
> >
> > Chain VUPNP (1 references)
> > target     prot opt source               destination
> >
> > Chain YADNS (0 references)
> > target     prot opt source               destination
> >
> >
> >
> > netstat -r
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags   MSS Window  irtt
> Iface
> > 10.8.0.5        *               255.255.255.255 UH        0 0          0
> tun11
> > 10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0
> tun11
> > 10.8.2.2        *               255.255.255.255 UH        0 0          0
> tun21
> > 86.58.119.1     *               255.255.255.255 UH        0 0          0
> eth0
> > 86.58.119.0     *               255.255.255.0   U         0 0          0
> eth0
> > 10.8.2.0        10.8.2.2        255.255.255.0   UG        0 0          0
> tun21
> > 192.168.2.0     *               255.255.255.0   U         0 0          0
> br0
> > 192.168.1.0     10.8.0.5        255.255.255.0   UG        0 0          0
> tun11
> > 127.0.0.0       *               255.0.0.0       U         0 0          0
> lo
> > default         <removed> 0.0.0.0         UG        0 0          0 eth0
> >
> >
> > (ignore that tunnel to 192.168.1.0)
> >
> > What should I do to make that tunnel work ?
> >
> > Regards.
> >
> > Luka
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJSezuWAAoJEDg5KY9j7GZYIlQP/jOYYLtuYAemzYH0pyzZimbo
> No3Td9nhGbpi2QPBm6W7cBa3qo/xikaH80RRjG07raDVKJdxhQKjf/hYNG3daF3C
> HTBZuaMBU8afwumQpknLprhapec+FZ5uNc4KE1OL4CObTQlv/ZBcFBvwIitGfJKX
> tHcR54FEC8ElrzRrqjLItx+1oEr47AFa8yj1/AJV3c8T08vgqAJbOoTpThuJweF7
> 8pbJcnDUwf3c4Xm+GKKI5lK3H5B4MF6ybhTn4EWNKy7IEe9tn3M0PuWTabyQ5W0h
> StiAVWS1U0GVT22eGTLIAAJ6izm6XH4KC5vvlZlS3y0wdyYrrupiNwgegFVd2gMS
> Om3WeG5KVEHpl9WqUO5cBKBHFQlrvL5pxcRP0rTmncGBNUKYNc28HiTpQZQZne/1
> BLcIdCChJZCKn6ncVLibhYdFSxag0KKiAmlD26rzGR2V7AYzbr0zRBvTGhbvI8du
> 0S1xfIpXv56tGt3DBxD1s4/VGbhSpFlOEkqDQqzMPtAeUjNjjK/PeX2qSs0kJYGU
> LDpkI815MQFtnIdQ7Wy79UzmnK2Q/2Bpy5+ckOZPzbkRuSizYYcKhgD2Kmdd4EWp
> rneKSob9OgtE7Q8cAtauJgJRLBrDHVuvg0Zc5d2sVc0dkxFwzcs7dtWJQnD5qDU4
> x1mkt92ogJMXnEy7D6eo
> =TCnj
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131107/8767234a/attachment.html>

More information about the Users mailing list