[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs
Luka
Lukapple80 at gmail.com
Thu Nov 7 09:52:02 CET 2013
I've increased charon log level to 2, if it helps:
https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswan_log_2.txt
Log ends when i get "Negotiation with the VPN server failed" error on my
iphone.
On Thu, Nov 7, 2013 at 9:35 AM, Luka <Lukapple80 at gmail.com> wrote:
> Noel, thanks for hint.
> I can't find sysctl command on my router.
> But following is probably the same:
> cat /proc/sys/net/ipv4/ip_forward
> 1
> (assuming that 1 means enabled)
>
> For accessing Hosts on the LAN I've tried following situation from the
> link you've provided:
>
>
>
> *The virtual IPs are from the subnet behind the gateway: In this situation
> either the dhcp plugin
> <http://wiki.strongswan.org/projects/strongswan/wiki/Dhcpplugin> is used or
> the gateway assigns virtual IP addresses from a subnet of the whole LAN
> behind the gateway (distinct from the IP addressesassigned via DHCP to
> other LAN hosts). If that is the case, the farp plugin
> <http://wiki.strongswan.org/projects/strongswan/wiki/Farpplugin> must be
> used so that the hosts behind the gateway may learn that they have to send
> response packets to the VPN gateway.*
>
> So I've used dhcp to assign ip to client
> strongswan.conf:
> ...
> rightsourceip=%dhcp
> ...
> And client(iPhone) got address from the LAN subnet, 192.168.2.24.
> Farp plugin is also enabled - I can see it listed on "Loaded plugins:"
> when I execute "ipsec statusall" command.
> But now I get error on my client(iphone): Negotiation with the VPN server
> failed.
> And there are some new errors in charon log file:
>
> https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswan_log_1.txt
>
> Nov 7 09:05:46 13[NET] received packet: from <client.wan.ip.removed>[4500] to <wan.ip.was.removed>[4500] (300 bytes)
> Nov 7 09:05:46 13[IKE] received retransmit of request with ID 1882702626, but no response to retransmit
>
> Any idea what's going on ?
>
>
>
>
>
>
> On Thu, Nov 7, 2013 at 8:04 AM, Noel Kuntze <noel at familie-kuntze.de>wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello Luka,
>>
>> See
>> http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunnelingFor solutions to this problem.
>>
>> Regards
>> Noel Kuntze
>>
>> Am 07.11.2013 07:54, schrieb Luka:
>> > Hi.
>> > I've successfully installed StrongSwan 5.0.4 IPsec server on my Asus
>> RT-AC66U Firmware:3.0.0.4.374.34_2 (Merlin build), followed tutorial on:
>> > http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>> > I'm trying to achieve this(diagram):
>> >
>> https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png
>> >
>> > I can connect to vpn server with my iPhone, using Cisco IPsec, but
>> problem is that*I can't access any of my home LAN IPs*.
>> > Here is strongswan log file(removed IPs):
>> >
>> https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswancharon.log
>> >
>> > Router firewall is temporary disabled.
>> > I probably need to add some iptables routes or something ?
>> >
>> > Can someone tell me what should I put for left/right subnet and
>> left/right ip ?
>> > Here is my config:
>> > Ipsec.conf file:
>> >
>> > conn ios
>> > keyexchange=ikev1
>> > authby=xauthrsasig
>> > xauth=server
>> > left=%defaultroute
>> > #left=%any
>> > leftfirewall=yes
>> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> > #leftsubnet=192.168.2.0/24 <http://192.168.2.0/24>
>> > leftcert=server.pem
>> > right=%any
>> > rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>> > #rightsubnet=192.168.2.0/24 <http://192.168.2.0/24>
>> > rightsourceip=10.0.0.2
>> > #rightsourceip=%dhcp
>> > rightcert=client.pem
>> > #forceencaps=yes
>> > auto=add
>> >
>> >
>> > strongswan.conf file:
>> >
>> > charon {
>> >
>> > # number of worker threads in charon
>> > threads = 16
>> >
>> > dns1 = 192.168.2.1
>> >
>> > plugins {
>> > dhcp {
>> > server = 192.168.2.1
>> > }
>> >
>> > }
>> > }
>> >
>> >
>> >
>> > ipsec statusall command:
>> >
>> > ipsec statusall
>> > Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
>> > uptime: 27 minutes, since Nov 06 22:32:15 2013
>> > malloc: sbrk 225280, mmap 0, used 201584, free 23696
>> > worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0,
>> scheduled: 5
>> > loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes
>> des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints
>> pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc
>> cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve
>> socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5
>> eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led
>> duplicheck addrblock unity
>> > Virtual IP pools (size/online/offline):
>> > 10.0.0.2 <http://10.0.0.2>: 1/1/0
>> > Listening IP addresses:
>> > <wan.ip.removed>
>> > 192.168.2.1
>> > 10.8.2.1
>> > 10.8.0.6
>> > Connections:
>> > ios: %any...%any IKEv1
>> > ios: local: [C=CA,... <removed>] uses public key
>> authentication
>> > ios: cert: "C=CA,... <removed>"
>> > ios: remote: [C=CA, ... <removed>] uses public key
>> authentication
>> > ios: cert: "C=CA,... <removed>"
>> > ios: remote: uses XAuth authentication: any
>> > ios: child: 0.0.0.0/0 <http://0.0.0.0/0> === 10.0.0.0/24 <
>> http://10.0.0.0/24> TUNNEL
>> > Security Associations (1 up, 0 connecting):
>> > ios[4]: ESTABLISHED 23 seconds ago, <wan.ip.removed>[C=CA,...
>> <removed>]...<iphone.wan.ip.removed>[C=CA,... <removed>]
>> > ios[4]: Remote XAuth identity: <removed>
>> > ios[4]: IKEv1 SPIs: 884d6e82b7e59a56_i a4cea15bd0aeff20_r*,
>> public key reauthentication in 2 hours
>> > ios[4]: IKE proposal:
>> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>> > ios{2}: INSTALLED, TUNNEL, ESP SPIs: c5177fea_i 070a1d6b_o
>> > ios{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 45 minutes
>> > ios{2}: 0.0.0.0/0 <http://0.0.0.0/0> === 10.0.0.2/32 <
>> http://10.0.0.2/32>
>> >
>> >
>> > Some more info:
>> >
>> >
>> > iptables -L -t nat
>> > Chain PREROUTING (policy ACCEPT)
>> > target prot opt source destination
>> > ACCEPT tcp -- anywhere anywhere tcp
>> dpt:1194
>> > VSERVER all -- anywhere cpe-86-<removed>
>> >
>> > Chain POSTROUTING (policy ACCEPT)
>> > target prot opt source destination
>> > MASQUERADE all -- 192.168.2.0/24 <http://192.168.2.0/24>
>> anywhere
>> > MASQUERADE all -- !cpe-86-<removed> anywhere
>> > MASQUERADE all -- anywhere anywhere MARK
>> match 0xd001
>> >
>> > Chain OUTPUT (policy ACCEPT)
>> > target prot opt source destination
>> >
>> > Chain LOCALSRV (0 references)
>> > target prot opt source destination
>> >
>> > Chain VSERVER (1 references)
>> > target prot opt source destination
>> > DNAT tcp -- anywhere anywhere tcp
>> dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194>
>> > DNAT udp -- anywhere anywhere udp
>> dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194>
>> > VUPNP all -- anywhere anywhere
>> >
>> > Chain VUPNP (1 references)
>> > target prot opt source destination
>> >
>> > Chain YADNS (0 references)
>> > target prot opt source destination
>> >
>> >
>> >
>> > netstat -r
>> > Kernel IP routing table
>> > Destination Gateway Genmask Flags MSS Window
>> irtt Iface
>> > 10.8.0.5 * 255.255.255.255 UH 0 0
>> 0 tun11
>> > 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0
>> 0 tun11
>> > 10.8.2.2 * 255.255.255.255 UH 0 0
>> 0 tun21
>> > 86.58.119.1 * 255.255.255.255 UH 0 0
>> 0 eth0
>> > 86.58.119.0 * 255.255.255.0 U 0 0
>> 0 eth0
>> > 10.8.2.0 10.8.2.2 255.255.255.0 UG 0 0
>> 0 tun21
>> > 192.168.2.0 * 255.255.255.0 U 0 0
>> 0 br0
>> > 192.168.1.0 10.8.0.5 255.255.255.0 UG 0 0
>> 0 tun11
>> > 127.0.0.0 * 255.0.0.0 U 0 0
>> 0 lo
>> > default <removed> 0.0.0.0 UG 0 0 0 eth0
>> >
>> >
>> > (ignore that tunnel to 192.168.1.0)
>> >
>> > What should I do to make that tunnel work ?
>> >
>> > Regards.
>> >
>> > Luka
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>> >
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (GNU/Linux)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBAgAGBQJSezuWAAoJEDg5KY9j7GZYIlQP/jOYYLtuYAemzYH0pyzZimbo
>> No3Td9nhGbpi2QPBm6W7cBa3qo/xikaH80RRjG07raDVKJdxhQKjf/hYNG3daF3C
>> HTBZuaMBU8afwumQpknLprhapec+FZ5uNc4KE1OL4CObTQlv/ZBcFBvwIitGfJKX
>> tHcR54FEC8ElrzRrqjLItx+1oEr47AFa8yj1/AJV3c8T08vgqAJbOoTpThuJweF7
>> 8pbJcnDUwf3c4Xm+GKKI5lK3H5B4MF6ybhTn4EWNKy7IEe9tn3M0PuWTabyQ5W0h
>> StiAVWS1U0GVT22eGTLIAAJ6izm6XH4KC5vvlZlS3y0wdyYrrupiNwgegFVd2gMS
>> Om3WeG5KVEHpl9WqUO5cBKBHFQlrvL5pxcRP0rTmncGBNUKYNc28HiTpQZQZne/1
>> BLcIdCChJZCKn6ncVLibhYdFSxag0KKiAmlD26rzGR2V7AYzbr0zRBvTGhbvI8du
>> 0S1xfIpXv56tGt3DBxD1s4/VGbhSpFlOEkqDQqzMPtAeUjNjjK/PeX2qSs0kJYGU
>> LDpkI815MQFtnIdQ7Wy79UzmnK2Q/2Bpy5+ckOZPzbkRuSizYYcKhgD2Kmdd4EWp
>> rneKSob9OgtE7Q8cAtauJgJRLBrDHVuvg0Zc5d2sVc0dkxFwzcs7dtWJQnD5qDU4
>> x1mkt92ogJMXnEy7D6eo
>> =TCnj
>> -----END PGP SIGNATURE-----
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131107/6a9bc6b2/attachment.html>
More information about the Users
mailing list