[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs

Luka Lukapple80 at gmail.com
Thu Nov 7 23:03:00 CET 2013


Ok I've switched back to following configuration and I can connect to VPN
again (back to beginning, can connect but can't access LAN behind VPN):

conn %default

        keyexchange=ikev1

        authby=xauthrsasig

        xauth=server



conn ios

       left=86.xx.xx.x35

       leftcert=serverLupoCert.pem

       leftsubnet=192.168.2.0/24

       leftfirewall=yes

       right=%any

       rightsourceip=10.3.0.1

       auto=add

       rightcert=clientLupoCert.pem

Do I have to put server's WAN Ip address for "left" or local IP ?

Configuration is simmilar to this one:
http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html
.
I've checked iptables -L command on that
site<http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables>and
compared it with mine.
It looks like mine is missing some forwarding rules.
Mine:

iptables -L -v -n --line-numbers

Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)

num   pkts bytes target     prot opt in     out     source
destination

1      236 31088 ACCEPT     esp  --  *      *       0.0.0.0/0
0.0.0.0/0

2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:4500

3      196 68288 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:500

4        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0
0.0.0.0/0

5     1138  105K ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:1194

6        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0
0.0.0.0/0


Chain FORWARD (policy DROP 0 packets, 0 bytes)

num   pkts bytes target     prot opt in     out     source
destination

1        0     0 ACCEPT     esp  --  *      *       0.0.0.0/0
0.0.0.0/0

2        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0
0.0.0.0/0

3        5   344 ACCEPT     all  --  tun11  *       0.0.0.0/0
0.0.0.0/0

4    22028 1928K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED

5        0     0 logdrop    all  --  !br0   eth0    0.0.0.0/0
0.0.0.0/0

6       28  1432 logdrop    all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID

7        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0
0.0.0.0/0

8     1344 80640 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           ctstate DNAT

9    32811 2190K ACCEPT     all  --  br0    *       0.0.0.0/0
0.0.0.0/0


Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)

num   pkts bytes target     prot opt in     out     source
destination

1        0     0 ACCEPT     esp  --  *      *       0.0.0.0/0
0.0.0.0/0


Chain FUPNP (0 references)

num   pkts bytes target     prot opt in     out     source
destination


Chain PControls (0 references)

num   pkts bytes target     prot opt in     out     source
destination

1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0


Chain logaccept (0 references)

num   pkts bytes target     prot opt in     out     source
destination

1        0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           state NEW LOG flags 7 level 4 prefix `ACCEPT '

2        0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0


Chain logdrop (2 references)

num   pkts bytes target     prot opt in     out     source
destination

1        0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           state NEW LOG flags 7 level 4 prefix `DROP'

2       28  1432 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0


If I understand "leftfirewall=yes" command, it should put those rules into
iptables.

I've checked charon log file and found this error:

cat strongswancharon.log | grep iptables

Nov  7 22:59:06 11[CFG]   leftupdown=ipsec _updown iptables

Nov  7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name

Nov  7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name


Am I missing some modules here or something ?

How can I get/log those commands for iptables, that strongswan executes ?

Thanks.



On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Luka,
>
> Your former configuration worked just fine. The problem was with the
> network or similiar. It had nothing to do with strongSwan.
>
> Regards
> Noel Kuntze
>
> On 07.11.2013 10:51, Luka wrote:
> > Now I've tried to load modules by hand. I've added following line to
> strongswan.conf:
> > load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509
> revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
> attr farp xauth-generic
> >
> > And if I check charon logs, it looks like it connects and then
> immediately disconnects from vpn.
> > Here are interesting lines from log file, (I connect with iphone and get
> "Negotiation with the VPN server failed":
> >
> > ...
> > Nov  7 10:31:12 14[CFG]   id '<server.wan.ip>' not confirmed by
> certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'
> > ...
> > Nov  7 10:31:12 14[CFG]   id '%any' not confirmed by certificate,
> defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'
> > ...
> > Nov  7 10:31:12 14[CFG] left is other host, swapping ends
> > ...
> > Nov  7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED =>
> CONNECTING
> > ...
> > Nov  7 10:13:56 05[IKE] remote host is behind NAT
> > ...
> > Nov  7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful
> > ...
> > Nov  7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING =>
> ESTABLISHED
> > ...
> > Nov  7 10:13:57 12[IKE] peer requested virtual IP %any
> > Nov  7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'
> > ...
> > Nov  7 10:14:13 05[ENC] parsing HASH_V1 payload finished
> > Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left
> > ...
> > Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload finished
> > ...
> > Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED =>
> DELETING
> > Nov  7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]
> > Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING =>
> DESTROYING
> > Nov  7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful
> > Nov  7 10:14:13 02[NET] waiting for data on sockets
> > Nov  7 10:14:25 15[JOB] got event, queuing job for execution
> > Nov  7 10:14:25 15[JOB] next event in 9732s 760ms, waiting
> > Nov  7 10:14:25 06[MGR] checkout IKE_SA
> >
> > Should I put something else instead of "right=%any" ?
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSe8zvAAoJEDg5KY9j7GZYuUgP/35loiPabv+RrIttHVaBHcru
> D7NYUqXKRNeaYnZj+qwsOIorjyoT9xjxg/ZlQCfJSaQKzuFhT3an2IUXeR+57U91
> WSlOfUJph2krkfqhAsrpT2fpD1z21t2vwLMRtOfwDJ5SbI5JInjNkXIur5rRvav1
> Tnxu4XzZ0wVaUnsabS0jfLYcHNfRcn9viRd5vMwtD0iJ+wO7Q5d/r8zY9pe7yvnk
> bGmkcZ5QHHVrCubqCL7qNABYmcrDsZJJoG3RNh/6rqtHWuVawOi5n4o3wP6VKlu5
> pHF2LyMz0ZASiveYjNvE24H7FN1CbepJO/hAKSPloNKUKObN4qvCf5Jwj315zZhp
> +4iQdbqbXN6gAMA309Hv4HVXnhxPffxi3vf8R+2GsciDfLIuP6eS7XtWv8wyYnFF
> +/oAtCuxw6aMI6r6KiTY5kVoeVziNsMDps5qDXet4VAOLPxKdtTbdpBza0YqIC61
> 1qbPPLF5E7AElLqV36Sm9s3nuQfATGUJMM5GRXVtnivDpIooqbRw6V6baXKduCkD
> 6pdIMIkI7TaBvdbYlyK/7h6Vxv6t1WGQESNt93WfveJUmO5/+37pEfDRwUg9EEAj
> dwv5/sO39usNPzVKOLfZH1h6DN9NJCbqdu00r/FiJ83U55WYKehkDhJRp6ep/rt5
> O/aMJnVocQlTSEklzGfY
> =kajC
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131107/a09c4f16/attachment.html>


More information about the Users mailing list