[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs
Luka
Lukapple80 at gmail.com
Sun Nov 10 11:50:04 CET 2013
Hi.
I've found way to fix that error: "iptables: No chain/target/match by that
name" by executing command:
insmod xt_policy
Now when I connect, iPhone gets IP 10.0.0.2 and following policy is added
to FORWARD chain:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- eth0 * 10.0.0.2
0.0.0.0/0 policy match dir in pol ipsec reqid 1 proto 50
2 0 0 ACCEPT all -- * eth0 0.0.0.0/0
10.0.0.2 policy match dir out pol ipsec reqid 1 proto 50
I'm using config:
conn %default
keyexchange=ikev1
authby=xauthrsasig
xauth=server
#leftid = subject alt. name (v certifikatu)
conn ios
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=serverCert.pem
leftfirewall=yes
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
auto=add
rightcert=clientCert.pem
But I still can't access my LAN (192.168.2.0/24) or ping router 192.168.2.1
or ping phone virtual IP 10.0.0.2.
I've no idea what else should I try. I give up.
L
On Thu, Nov 7, 2013 at 11:05 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Luka,
>
> I actually meant the config which you created after I sent you that link
> [1].
> I don't know exactly why there are retransmits happening, but in general,
> the setup should work.
>
> [1]
> http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> Regards
> Noel Kuntze
>
> On 07.11.2013 23:03, Luka wrote:
> > Ok I've switched back to following configuration and I can connect to
> VPN again (back to beginning, can connect but can't access LAN behind VPN):
> >
> > conn %default
> >
> > keyexchange=ikev1
> >
> > authby=xauthrsasig
> >
> > xauth=server
> >
> >
> >
> > conn ios
> >
> > left=86.xx.xx.x35
> >
> > leftcert=serverLupoCert.pem
> >
> > leftsubnet=192.168.2.0/24 <http://192.168.2.0/24>
> >
> > leftfirewall=yes
> >
> > right=%any
> >
> > rightsourceip=10.3.0.1
> >
> > auto=add
> >
> > rightcert=clientLupoCert.pem
> >
> >
> > Do I have to put server's WAN Ip address for "left" or local IP ?
> >
> > Configuration is simmilar to this one:
> http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html
> .
> > I've checked iptables -L command on that site <
> http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables>
> and compared it with mine.
> > It looks like mine is missing some forwarding rules.
> > Mine:
> >
> > iptables -L -v -n --line-numbers
> >
> > Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> > 1 236 31088 ACCEPT esp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > 2 0 0 ACCEPT udp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> udp
> dpt:4500
> >
> > 3 196 68288 ACCEPT udp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> udp
> dpt:500
> >
> > 4 0 0 ACCEPT all -- tun21 * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > 5 1138 105K ACCEPT tcp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp
> dpt:1194
> >
> > 6 0 0 ACCEPT all -- tun11 * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> > 1 0 0 ACCEPT esp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > 2 0 0 ACCEPT all -- tun21 * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > 3 5 344 ACCEPT all -- tun11 * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > 4 22028 1928K ACCEPT all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> state
> RELATED,ESTABLISHED
> >
> > 5 0 0 logdrop all -- !br0 eth0 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > 6 28 1432 logdrop all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> state
> INVALID
> >
> > 7 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > 8 1344 80640 ACCEPT all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> ctstate DNAT
> >
> > 9 32811 2190K ACCEPT all -- br0 * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> > 1 0 0 ACCEPT esp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > Chain FUPNP (0 references)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> >
> > Chain PControls (0 references)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> > 1 0 0 ACCEPT all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > Chain logaccept (0 references)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> > 1 0 0 LOG all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> state
> NEW LOG flags 7 level 4 prefix `ACCEPT '
> >
> > 2 0 0 ACCEPT all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > Chain logdrop (2 references)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> > 1 0 0 LOG all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> state
> NEW LOG flags 7 level 4 prefix `DROP'
> >
> > 2 28 1432 DROP all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > If I understand "leftfirewall=yes" command, it should put those rules
> into iptables.
> >
> > I've checked charon log file and found this error:
> >
> > cat strongswancharon.log | grep iptables
> >
> > Nov 7 22:59:06 11[CFG] leftupdown=ipsec _updown iptables
> >
> > Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that
> name
> >
> > Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that
> name
> >
> >
> > Am I missing some modules here or something ?
> >
> > How can I get/log those commands for iptables, that strongswan executes ?
> >
> >
> > Thanks.
> >
> >
> >
> > On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <noel at familie-kuntze.de<mailto:
> noel at familie-kuntze.de>> wrote:
> >
> >
> > Hello Luka,
> >
> > Your former configuration worked just fine. The problem was with the
> network or similiar. It had nothing to do with strongSwan.
> >
> > Regards
> > Noel Kuntze
> >
> > On 07.11.2013 10:51, Luka wrote:
> > > Now I've tried to load modules by hand. I've added following line to
> strongswan.conf:
> > > load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509
> revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
> attr farp xauth-generic
> >
> > > And if I check charon logs, it looks like it connects and then
> immediately disconnects from vpn.
> > > Here are interesting lines from log file, (I connect with iphone and
> get "Negotiation with the VPN server failed":
> >
> > > ...
> > > Nov 7 10:31:12 14[CFG] id '<server.wan.ip>' not confirmed by
> certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'
> > > ...
> > > Nov 7 10:31:12 14[CFG] id '%any' not confirmed by certificate,
> defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'
> > > ...
> > > Nov 7 10:31:12 14[CFG] left is other host, swapping ends
> > > ...
> > > Nov 7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED =>
> CONNECTING
> > > ...
> > > Nov 7 10:13:56 05[IKE] remote host is behind NAT
> > > ...
> > > Nov 7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful
> > > ...
> > > Nov 7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING =>
> ESTABLISHED
> > > ...
> > > Nov 7 10:13:57 12[IKE] peer requested virtual IP %any
> > > Nov 7 10:13:57 12[IKE] no virtual IP found for %any requested by
> 'lupo'
> > > ...
> > > Nov 7 10:14:13 05[ENC] parsing HASH_V1 payload finished
> > > Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left
> > > ...
> > > Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload finished
> > > ...
> > > Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED =>
> DELETING
> > > Nov 7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]
> > > Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING =>
> DESTROYING
> > > Nov 7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful
> > > Nov 7 10:14:13 02[NET] waiting for data on sockets
> > > Nov 7 10:14:25 15[JOB] got event, queuing job for execution
> > > Nov 7 10:14:25 15[JOB] next event in 9732s 760ms, waiting
> > > Nov 7 10:14:25 06[MGR] checkout IKE_SA
> >
> > > Should I put something else instead of "right=%any" ?
> >
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSfA6sAAoJEDg5KY9j7GZYXYcP/3N3BE9NGpsXoQLz36Ccnz8L
> iYsYXnBTWkl1QCGtkCPJ9fE9Iqexo6MEV0qq5M3AKDCdS8XleUhDeezfzaDQzFzR
> WGXP/6vGfnL7u1ZhbwWFerifLzPjchZtAL1VMaJK3ccnNXGeN08jrxgwsugYLG0Z
> q9IOmn3hqrz9KfqmVwnNrBKBHYaJHMa2hnsBaMbSHteMER54uIT8XpgSMlVfmG/H
> H29wwQAQatiK7DJPPC5u9nI2OsjlxkO4mFBIVEJHZyUM26PL3EBeGIF3WaL9OtTt
> VWhM8qsqoCM5Kj9jiy40eQkclIZveotf3ceE2yA0ihAcOEMJD9REQS+xNsjEXbiR
> Qk+XXijaI4VdPRc/jsFL6S9RV9w3Y0q4034RrDR49tFKCgppbVQmDPjpGMjA81n7
> JBt5XYVayWeAOloUn+YN/K94AjC4zMZzS8wpE9WJ61s29L3/3e/kyb36F964INs9
> 3cM8BMW5JztP6InWLH4Avk8/6L1jMqK9ZpmvAkqv6+o2vQEG7cC6iG0VJHqo6GfI
> lk42shMAh68gbOcxRzz6nLDg+hltzYl2zIZm47IVFRsnejQ+7hEcHpQbpkWO574L
> DZ3AxzepnFAPH15Dy5O+e+bg+4opmVmWdb9vih+xwArhLZr5n1MCR18Ng8Y+ceDc
> 9M3phOawnRyw6o1BWMem
> =C58j
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131110/cd602588/attachment.html>
More information about the Users
mailing list