[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs

Noel Kuntze noel at familie-kuntze.de
Thu Nov 7 23:05:32 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Luka,

I actually meant the config which you created after I sent you that link [1].
I don't know exactly why there are retransmits happening, but in general, the setup should work.

[1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Regards
Noel Kuntze

On 07.11.2013 23:03, Luka wrote:
> Ok I've switched back to following configuration and I can connect to VPN again (back to beginning, can connect but can't access LAN behind VPN):
>
> conn %default                    
>
>         keyexchange=ikev1                 
>
>         authby=xauthrsasig                
>
>         xauth=server                      
>
>                                           
>
> conn ios       
>
>        left=86.xx.xx.x35         
>
>        leftcert=serverLupoCert.pem    
>
>        leftsubnet=192.168.2.0/24 <http://192.168.2.0/24>  
>
>        leftfirewall=yes           
>
>        right=%any                 
>
>        rightsourceip=10.3.0.1     
>
>        auto=add                   
>
>        rightcert=clientLupoCert.pem
>
>
> Do I have to put server's WAN Ip address for "left" or local IP ?
>
> Configuration is simmilar to this one:http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html.
> I've checked iptables -L command on that site <http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables> and compared it with mine.
> It looks like mine is missing some forwarding rules.
> Mine:
>
> iptables -L -v -n --line-numbers
>
> Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)
>
> num   pkts bytes target     prot opt in     out     source               destination        
>
> 1      236 31088 ACCEPT     esp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
> 2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>           udp dpt:4500
>
> 3      196 68288 ACCEPT     udp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>           udp dpt:500
>
> 4        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
> 5     1138  105K ACCEPT     tcp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>           tcp dpt:1194
>
> 6        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>
> num   pkts bytes target     prot opt in     out     source               destination        
>
> 1        0     0 ACCEPT     esp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
> 2        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
> 3        5   344 ACCEPT     all  --  tun11  *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
> 4    22028 1928K ACCEPT     all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>           state RELATED,ESTABLISHED
>
> 5        0     0 logdrop    all  --  !br0   eth0    0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
> 6       28  1432 logdrop    all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>           state INVALID
>
> 7        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
> 8     1344 80640 ACCEPT     all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>           ctstate DNAT
>
> 9    32811 2190K ACCEPT     all  --  br0    *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
>
> Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)
>
> num   pkts bytes target     prot opt in     out     source               destination        
>
> 1        0     0 ACCEPT     esp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
>
> Chain FUPNP (0 references)
>
> num   pkts bytes target     prot opt in     out     source               destination        
>
>
> Chain PControls (0 references)
>
> num   pkts bytes target     prot opt in     out     source               destination        
>
> 1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
>
> Chain logaccept (0 references)
>
> num   pkts bytes target     prot opt in     out     source               destination        
>
> 1        0     0 LOG        all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>           state NEW LOG flags 7 level 4 prefix `ACCEPT '
>
> 2        0     0 ACCEPT     all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>          
>
>
> Chain logdrop (2 references)
>
> num   pkts bytes target     prot opt in     out     source               destination        
>
> 1        0     0 LOG        all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>           state NEW LOG flags 7 level 4 prefix `DROP'
>
> 2       28  1432 DROP       all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>
>
>
> If I understand "leftfirewall=yes" command, it should put those rules into iptables.
>
> I've checked charon log file and found this error:
>
> cat strongswancharon.log | grep iptables
>
> Nov  7 22:59:06 11[CFG]   leftupdown=ipsec _updown iptables
>
> Nov  7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name
>
> Nov  7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name
>
>
> Am I missing some modules here or something ?
>
> How can I get/log those commands for iptables, that strongswan executes ?
>
>
> Thanks.
>
>
>
> On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Luka,
>
> Your former configuration worked just fine. The problem was with the network or similiar. It had nothing to do with strongSwan.
>
> Regards
> Noel Kuntze
>
> On 07.11.2013 10:51, Luka wrote:
> > Now I've tried to load modules by hand. I've added following line to strongswan.conf:
> > load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve attr farp xauth-generic
>
> > And if I check charon logs, it looks like it connects and then immediately disconnects from vpn.
> > Here are interesting lines from log file, (I connect with iphone and get "Negotiation with the VPN server failed":
>
> > ...
> > Nov  7 10:31:12 14[CFG]   id '<server.wan.ip>' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'
> > ...
> > Nov  7 10:31:12 14[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'
> > ...
> > Nov  7 10:31:12 14[CFG] left is other host, swapping ends
> > ...
> > Nov  7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> > ...
> > Nov  7 10:13:56 05[IKE] remote host is behind NAT
> > ...
> > Nov  7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful
> > ...
> > Nov  7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING => ESTABLISHED
> > ...
> > Nov  7 10:13:57 12[IKE] peer requested virtual IP %any
> > Nov  7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'
> > ...
> > Nov  7 10:14:13 05[ENC] parsing HASH_V1 payload finished
> > Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left
> > ...
> > Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload finished
> > ...
> > Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED => DELETING
> > Nov  7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]
> > Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING => DESTROYING
> > Nov  7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful
> > Nov  7 10:14:13 02[NET] waiting for data on sockets
> > Nov  7 10:14:25 15[JOB] got event, queuing job for execution
> > Nov  7 10:14:25 15[JOB] next event in 9732s 760ms, waiting
> > Nov  7 10:14:25 06[MGR] checkout IKE_SA
>
> > Should I put something else instead of "right=%any" ?
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSfA6sAAoJEDg5KY9j7GZYXYcP/3N3BE9NGpsXoQLz36Ccnz8L
iYsYXnBTWkl1QCGtkCPJ9fE9Iqexo6MEV0qq5M3AKDCdS8XleUhDeezfzaDQzFzR
WGXP/6vGfnL7u1ZhbwWFerifLzPjchZtAL1VMaJK3ccnNXGeN08jrxgwsugYLG0Z
q9IOmn3hqrz9KfqmVwnNrBKBHYaJHMa2hnsBaMbSHteMER54uIT8XpgSMlVfmG/H
H29wwQAQatiK7DJPPC5u9nI2OsjlxkO4mFBIVEJHZyUM26PL3EBeGIF3WaL9OtTt
VWhM8qsqoCM5Kj9jiy40eQkclIZveotf3ceE2yA0ihAcOEMJD9REQS+xNsjEXbiR
Qk+XXijaI4VdPRc/jsFL6S9RV9w3Y0q4034RrDR49tFKCgppbVQmDPjpGMjA81n7
JBt5XYVayWeAOloUn+YN/K94AjC4zMZzS8wpE9WJ61s29L3/3e/kyb36F964INs9
3cM8BMW5JztP6InWLH4Avk8/6L1jMqK9ZpmvAkqv6+o2vQEG7cC6iG0VJHqo6GfI
lk42shMAh68gbOcxRzz6nLDg+hltzYl2zIZm47IVFRsnejQ+7hEcHpQbpkWO574L
DZ3AxzepnFAPH15Dy5O+e+bg+4opmVmWdb9vih+xwArhLZr5n1MCR18Ng8Y+ceDc
9M3phOawnRyw6o1BWMem
=C58j
-----END PGP SIGNATURE-----





More information about the Users mailing list