[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs

Thu Nov 7 18:25:03 CET 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Luka,

Your former configuration worked just fine. The problem was with the network or similiar. It had nothing to do with strongSwan.

Regards
Noel Kuntze

On 07.11.2013 10:51, Luka wrote:
> Now I've tried to load modules by hand. I've added following line to strongswan.conf:
> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve attr farp xauth-generic
>
> And if I check charon logs, it looks like it connects and then immediately disconnects from vpn.
> Here are interesting lines from log file, (I connect with iphone and get "Negotiation with the VPN server failed":
>
> ...
> Nov  7 10:31:12 14[CFG]   id '<server.wan.ip>' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'
> ...
> Nov  7 10:31:12 14[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'
> ...
> Nov  7 10:31:12 14[CFG] left is other host, swapping ends
> ...
> Nov  7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> ...
> Nov  7 10:13:56 05[IKE] remote host is behind NAT
> ...
> Nov  7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful
> ...
> Nov  7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING => ESTABLISHED
> ...
> Nov  7 10:13:57 12[IKE] peer requested virtual IP %any
> Nov  7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'
> ...
> Nov  7 10:14:13 05[ENC] parsing HASH_V1 payload finished
> Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left
> ...
> Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload finished
> ...
> Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED => DELETING
> Nov  7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]
> Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING => DESTROYING
> Nov  7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful
> Nov  7 10:14:13 02[NET] waiting for data on sockets
> Nov  7 10:14:25 15[JOB] got event, queuing job for execution
> Nov  7 10:14:25 15[JOB] next event in 9732s 760ms, waiting
> Nov  7 10:14:25 06[MGR] checkout IKE_SA
>
> Should I put something else instead of "right=%any" ?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSe8zvAAoJEDg5KY9j7GZYuUgP/35loiPabv+RrIttHVaBHcru
D7NYUqXKRNeaYnZj+qwsOIorjyoT9xjxg/ZlQCfJSaQKzuFhT3an2IUXeR+57U91
WSlOfUJph2krkfqhAsrpT2fpD1z21t2vwLMRtOfwDJ5SbI5JInjNkXIur5rRvav1
Tnxu4XzZ0wVaUnsabS0jfLYcHNfRcn9viRd5vMwtD0iJ+wO7Q5d/r8zY9pe7yvnk
bGmkcZ5QHHVrCubqCL7qNABYmcrDsZJJoG3RNh/6rqtHWuVawOi5n4o3wP6VKlu5
pHF2LyMz0ZASiveYjNvE24H7FN1CbepJO/hAKSPloNKUKObN4qvCf5Jwj315zZhp
+4iQdbqbXN6gAMA309Hv4HVXnhxPffxi3vf8R+2GsciDfLIuP6eS7XtWv8wyYnFF
+/oAtCuxw6aMI6r6KiTY5kVoeVziNsMDps5qDXet4VAOLPxKdtTbdpBza0YqIC61
1qbPPLF5E7AElLqV36Sm9s3nuQfATGUJMM5GRXVtnivDpIooqbRw6V6baXKduCkD
6pdIMIkI7TaBvdbYlyK/7h6Vxv6t1WGQESNt93WfveJUmO5/+37pEfDRwUg9EEAj
dwv5/sO39usNPzVKOLfZH1h6DN9NJCbqdu00r/FiJ83U55WYKehkDhJRp6ep/rt5
O/aMJnVocQlTSEklzGfY
=kajC
-----END PGP SIGNATURE-----