[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs

Luka Lukapple80 at gmail.com
Thu Nov 7 09:52:02 CET 2013


I've increased charon log level to 2, if it helps:
https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswan_log_2.txt
Log ends when i get "Negotiation with the VPN server failed" error on my
iphone.




On Thu, Nov 7, 2013 at 9:35 AM, Luka <Lukapple80 at gmail.com> wrote:

> Noel, thanks for hint.
> I can't find sysctl command on my router.
> But following is probably the same:
> cat /proc/sys/net/ipv4/ip_forward
> 1
> (assuming that 1 means enabled)
>
> For accessing Hosts on the LAN I've tried following situation from the
> link you've provided:
>
>
>
> *The virtual IPs are from the subnet behind the gateway: In this situation
> either the dhcp plugin
> <http://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin> is used or
> the gateway assigns virtual IP addresses from a subnet of the whole LAN
> behind the gateway (distinct from the IP addressesassigned via DHCP to
> other LAN hosts). If that is the case, the farp plugin
> <http://wiki.strongswan.org/projects/strongswan/wiki/Farpplugin> must be
> used so that the hosts behind the gateway may learn that they have to send
> response packets to the VPN gateway.*
>
> So I've used dhcp to assign ip to client
> strongswan.conf:
> ...
> rightsourceip=%dhcp
> ...
> And client(iPhone) got address from the LAN subnet, 192.168.2.24.
> Farp plugin is also enabled - I can see it listed on "Loaded plugins:"
> when I execute "ipsec statusall" command.
> But now I get error on my client(iphone): Negotiation with the VPN server
> failed.
> And there are some new errors in charon log file:
>
> https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswan_log_1.txt
>
> Nov  7 09:05:46 13[NET] received packet: from <client.wan.ip.removed>[4500] to <wan.ip.was.removed>[4500] (300 bytes)
> Nov  7 09:05:46 13[IKE] received retransmit of request with ID 1882702626, but no response to retransmit
>
> Any idea what's going on ?
>
>
>
>
>
>
> On Thu, Nov 7, 2013 at 8:04 AM, Noel Kuntze <noel at familie-kuntze.de>wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello Luka,
>>
>> See
>> http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunnelingFor solutions to this problem.
>>
>> Regards
>> Noel Kuntze
>>
>> Am 07.11.2013 07:54, schrieb Luka:
>> > Hi.
>> > I've successfully installed StrongSwan 5.0.4 IPsec server on my Asus
>> RT-AC66U Firmware:3.0.0.4.374.34_2 (Merlin build), followed tutorial on:
>> > http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>> > I'm trying to achieve this(diagram):
>> >
>> https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png
>> >
>> > I can connect to vpn server with my iPhone, using Cisco IPsec, but
>> problem is that*I can't access any of my home LAN IPs*.
>> > Here is strongswan log file(removed IPs):
>> >
>> https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswancharon.log
>> >
>> > Router firewall is temporary disabled.
>> > I probably need to add some iptables routes or something ?
>> >
>> > Can someone tell me what should I put for left/right subnet and
>> left/right ip ?
>> > Here is my config:
>> > Ipsec.conf file:
>> >
>> > conn ios
>> >        keyexchange=ikev1
>> >        authby=xauthrsasig
>> >        xauth=server
>> >        left=%defaultroute
>> >        #left=%any
>> >        leftfirewall=yes
>> >        leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> >        #leftsubnet=192.168.2.0/24 <http://192.168.2.0/24>
>> >        leftcert=server.pem
>> >        right=%any
>> >        rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>> >        #rightsubnet=192.168.2.0/24 <http://192.168.2.0/24>
>> >        rightsourceip=10.0.0.2
>> >        #rightsourceip=%dhcp
>> >        rightcert=client.pem
>> >        #forceencaps=yes
>> >        auto=add
>> >
>> >
>> > strongswan.conf file:
>> >
>> > charon {
>> >
>> >         # number of worker threads in charon
>> >         threads = 16
>> >
>> >         dns1 = 192.168.2.1
>> >
>> >         plugins {
>> >                 dhcp {
>> >                       server = 192.168.2.1
>> >                 }
>> >
>> >         }
>> >  }
>> >
>> >
>> >
>> > ipsec statusall command:
>> >
>> > ipsec statusall
>> > Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
>> >   uptime: 27 minutes, since Nov 06 22:32:15 2013
>> >   malloc: sbrk 225280, mmap 0, used 201584, free 23696
>> >   worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0,
>> scheduled: 5
>> >   loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes
>> des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints
>> pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc
>> cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve
>> socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5
>> eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led
>> duplicheck addrblock unity
>> > Virtual IP pools (size/online/offline):
>> >   10.0.0.2 <http://10.0.0.2>: 1/1/0
>> > Listening IP addresses:
>> >   <wan.ip.removed>
>> >   192.168.2.1
>> >   10.8.2.1
>> >   10.8.0.6
>> > Connections:
>> >          ios:  %any...%any  IKEv1
>> >          ios:   local:  [C=CA,... <removed>] uses public key
>> authentication
>> >          ios:    cert:  "C=CA,... <removed>"
>> >          ios:   remote: [C=CA, ... <removed>] uses public key
>> authentication
>> >          ios:    cert:  "C=CA,... <removed>"
>> >          ios:   remote: uses XAuth authentication: any
>> >          ios:   child:  0.0.0.0/0 <http://0.0.0.0/0> === 10.0.0.0/24 <
>> http://10.0.0.0/24> TUNNEL
>> > Security Associations (1 up, 0 connecting):
>> >          ios[4]: ESTABLISHED 23 seconds ago, <wan.ip.removed>[C=CA,...
>> <removed>]...<iphone.wan.ip.removed>[C=CA,... <removed>]
>> >          ios[4]: Remote XAuth identity: <removed>
>> >          ios[4]: IKEv1 SPIs: 884d6e82b7e59a56_i a4cea15bd0aeff20_r*,
>> public key reauthentication in 2 hours
>> >          ios[4]: IKE proposal:
>> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>> >          ios{2}:  INSTALLED, TUNNEL, ESP SPIs: c5177fea_i 070a1d6b_o
>> >          ios{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 45 minutes
>> >          ios{2}:   0.0.0.0/0 <http://0.0.0.0/0> === 10.0.0.2/32 <
>> http://10.0.0.2/32>
>> >
>> >
>> > Some more info:
>> >
>> >
>> > iptables -L -t nat
>> > Chain PREROUTING (policy ACCEPT)
>> > target     prot opt source               destination
>> > ACCEPT     tcp  --  anywhere             anywhere            tcp
>> dpt:1194
>> > VSERVER    all  --  anywhere             cpe-86-<removed>
>> >
>> > Chain POSTROUTING (policy ACCEPT)
>> > target     prot opt source               destination
>> > MASQUERADE  all  --  192.168.2.0/24 <http://192.168.2.0/24>
>> anywhere
>> > MASQUERADE  all  -- !cpe-86-<removed>  anywhere
>> > MASQUERADE  all  --  anywhere             anywhere            MARK
>> match 0xd001
>> >
>> > Chain OUTPUT (policy ACCEPT)
>> > target     prot opt source               destination
>> >
>> > Chain LOCALSRV (0 references)
>> > target     prot opt source               destination
>> >
>> > Chain VSERVER (1 references)
>> > target     prot opt source               destination
>> > DNAT       tcp  --  anywhere             anywhere            tcp
>> dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194>
>> > DNAT       udp  --  anywhere             anywhere            udp
>> dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194>
>> > VUPNP      all  --  anywhere             anywhere
>> >
>> > Chain VUPNP (1 references)
>> > target     prot opt source               destination
>> >
>> > Chain YADNS (0 references)
>> > target     prot opt source               destination
>> >
>> >
>> >
>> > netstat -r
>> > Kernel IP routing table
>> > Destination     Gateway         Genmask         Flags   MSS Window
>>  irtt Iface
>> > 10.8.0.5        *               255.255.255.255 UH        0 0
>>  0 tun11
>> > 10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0
>>  0 tun11
>> > 10.8.2.2        *               255.255.255.255 UH        0 0
>>  0 tun21
>> > 86.58.119.1     *               255.255.255.255 UH        0 0
>>  0 eth0
>> > 86.58.119.0     *               255.255.255.0   U         0 0
>>  0 eth0
>> > 10.8.2.0        10.8.2.2        255.255.255.0   UG        0 0
>>  0 tun21
>> > 192.168.2.0     *               255.255.255.0   U         0 0
>>  0 br0
>> > 192.168.1.0     10.8.0.5        255.255.255.0   UG        0 0
>>  0 tun11
>> > 127.0.0.0       *               255.0.0.0       U         0 0
>>  0 lo
>> > default         <removed> 0.0.0.0         UG        0 0          0 eth0
>> >
>> >
>> > (ignore that tunnel to 192.168.1.0)
>> >
>> > What should I do to make that tunnel work ?
>> >
>> > Regards.
>> >
>> > Luka
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>> >
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (GNU/Linux)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBAgAGBQJSezuWAAoJEDg5KY9j7GZYIlQP/jOYYLtuYAemzYH0pyzZimbo
>> No3Td9nhGbpi2QPBm6W7cBa3qo/xikaH80RRjG07raDVKJdxhQKjf/hYNG3daF3C
>> HTBZuaMBU8afwumQpknLprhapec+FZ5uNc4KE1OL4CObTQlv/ZBcFBvwIitGfJKX
>> tHcR54FEC8ElrzRrqjLItx+1oEr47AFa8yj1/AJV3c8T08vgqAJbOoTpThuJweF7
>> 8pbJcnDUwf3c4Xm+GKKI5lK3H5B4MF6ybhTn4EWNKy7IEe9tn3M0PuWTabyQ5W0h
>> StiAVWS1U0GVT22eGTLIAAJ6izm6XH4KC5vvlZlS3y0wdyYrrupiNwgegFVd2gMS
>> Om3WeG5KVEHpl9WqUO5cBKBHFQlrvL5pxcRP0rTmncGBNUKYNc28HiTpQZQZne/1
>> BLcIdCChJZCKn6ncVLibhYdFSxag0KKiAmlD26rzGR2V7AYzbr0zRBvTGhbvI8du
>> 0S1xfIpXv56tGt3DBxD1s4/VGbhSpFlOEkqDQqzMPtAeUjNjjK/PeX2qSs0kJYGU
>> LDpkI815MQFtnIdQ7Wy79UzmnK2Q/2Bpy5+ckOZPzbkRuSizYYcKhgD2Kmdd4EWp
>> rneKSob9OgtE7Q8cAtauJgJRLBrDHVuvg0Zc5d2sVc0dkxFwzcs7dtWJQnD5qDU4
>> x1mkt92ogJMXnEy7D6eo
>> =TCnj
>> -----END PGP SIGNATURE-----
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131107/6a9bc6b2/attachment.html>


More information about the Users mailing list