[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs

Noel Kuntze noel at familie-kuntze.de
Sun Nov 10 15:05:52 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Luka,

You need to masquerade the traffic from your iPhone to the LAN or the internet.
You do this with either the MASQUERADE or the SNAT target in iptables.
Example: iptables -A FORWARD -t nat -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Regards
Noel Kuntze

On 10.11.2013 11:50, Luka wrote:
> Hi.
> I've found way to fix that error: "iptables: No chain/target/match by that name" by executing command:
>
> insmod xt_policy
>
>
> Now when I connect, iPhone gets IP 10.0.0.2 and following policy is added to FORWARD chain:
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>
> num   pkts bytes target     prot opt in     out     source               destination        
>
> 1        0     0 ACCEPT     all  --  eth0   *       10.0.0.2             0.0.0.0/0 <http://0.0.0.0/0>           policy match dir in pol ipsec reqid 1 proto 50
>
> 2        0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0 <http://0.0.0.0/0>            10.0.0.2            policy match dir out pol ipsec reqid 1 proto 50
>
>
> I'm using config:
>
> conn %default                                                                                                        
>
>         keyexchange=ikev1                                          Read the manpage for it                                                 
>
>         authby=xauthrsasig                                                                                           
>
>         xauth=server                                                                                                 
>
>                                                                                                                      
>
> #leftid = subject alt. name (v certifikatu)                                                                          
>
> conn ios                                                                                                             
>
>        left=%defaultroute                                                                                            
>
>        leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>                                                                                          
>
>        leftcert=serverCert.pem                                                                                   
>
>        leftfirewall=yes                                                                                              

But I still can't access my LAN (192.168.2.0/24) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.

I've no idea what else should I try. I give up.
>
>        right=%any                                                                                                    
>
>        rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>                                                                                       
>
>        rightsourceip=10.0.0.2                                                                                        
>
>        auto=add                                                                                                      
>
>        rightcert=clientCert.pem
>
>
>
> But I still can't access my LAN (192.168.2.0/24 <http://192.168.2.0/24>) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.
>
> I've no idea what else should I try. I give up.
>
>
> L
>
>
>
>
> On Thu, Nov 7, 2013 at 11:05 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Luka,
>
> I actually meant the config which you created after I sent you that link [1].
> I don't know exactly why there are retransmits happening, but in general, the setup should work.
>
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> Regards
> Noel Kuntze
>
> On 07.11.2013 23:03, Luka wrote:
> > Ok I've switched back to following configuration and I can connect to VPN again (back to beginning, can connect but can't access LAN behind VPN):
>
> > conn %default
>
> >         keyexchange=ikev1
>
> >         authby=xauthrsasig
>
> >         xauth=server
>
>
>
> > conn ios
>
> >        left=86.xx.xx.x35
>
> >        leftcert=serverLupoCert.pem
>
> >        leftsubnet=192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24>
>
> >        leftfirewall=yes
>
> >        right=%any
>
> >        rightsourceip=10.3.0.1
>
> >        auto=add
>
> >        rightcert=clientLupoCert.pem
>
>
> > Do I have to put server's WAN Ip address for "left" or local IP ?
>
> > Configuration is simmilar to this one:http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html.
> > I've checked iptables -L command on that site <http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables> and compared it with mine.
> > It looks like mine is missing some forwarding rules.
> > Mine:
>
> > iptables -L -v -n --line-numbers
>
> > Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> > num   pkts bytes target     prot opt in     out     source               destination
>
> > 1      236 31088 ACCEPT     esp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > 2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>           udp dpt:4500
>
> > 3      196 68288 ACCEPT     udp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>           udp dpt:500
>
> > 4        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > 5     1138  105K ACCEPT     tcp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>           tcp dpt:1194
>
> > 6        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > Chain FORWARD (policy DROP 0 packets, 0 bytes)
>
> > num   pkts bytes target     prot opt in     out     source               destination
>
> > 1        0     0 ACCEPT     esp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > 2        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > 3        5   344 ACCEPT     all  --  tun11  *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > 4    22028 1928K ACCEPT     all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>           state RELATED,ESTABLISHED
>
> > 5        0     0 logdrop    all  --  !br0   eth0    0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > 6       28  1432 logdrop    all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>           state INVALID
>
> > 7        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > 8     1344 80640 ACCEPT     all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>           ctstate DNAT
>
> > 9    32811 2190K ACCEPT     all  --  br0    *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)
>
> > num   pkts bytes target     prot opt in     out     source               destination
>
> > 1        0     0 ACCEPT     esp  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > Chain FUPNP (0 references)
>
> > num   pkts bytes target     prot opt in     out     source               destination
>
>
> > Chain PControls (0 references)
>
> > num   pkts bytes target     prot opt in     out     source               destination
>
> > 1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > Chain logaccept (0 references)
>
> > num   pkts bytes target     prot opt in     out     source               destination
>
> > 1        0     0 LOG        all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>           state NEW LOG flags 7 level 4 prefix `ACCEPT '
>
> > 2        0     0 ACCEPT     all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > Chain logdrop (2 references)
>
> > num   pkts bytes target     prot opt in     out     source               destination
>
> > 1        0     0 LOG        all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>           state NEW LOG flags 7 level 4 prefix `DROP'
>
> > 2       28  1432 DROP       all  --  *      *       0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > If I understand "leftfirewall=yes" command, it should put those rules into iptables.
>
> > I've checked charon log file and found this error:
>
> > cat strongswancharon.log | grep iptables
>
> > Nov  7 22:59:06 11[CFG]   leftupdown=ipsec _updown iptables
>
> > Nov  7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name
>
> > Nov  7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name
>
>
> > Am I missing some modules here or something ?
>
> > How can I get/log those commands for iptables, that strongswan executes ?
>
>
> > Thanks.
>
>
>
> > On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
>
>
> > Hello Luka,
>
> > Your former configuration worked just fine. The problem was with the network or similiar. It had nothing to do with strongSwan.
>
> > Regards
> > Noel Kuntze
>
> > On 07.11.2013 10:51, Luka wrote:
> > > Now I've tried to load modules by hand. I've added following line to strongswan.conf:
> > > load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve attr farp xauth-generic
>
> > > And if I check charon logs, it looks like it connects and then immediately disconnects from vpn.
> > > Here are interesting lines from log file, (I connect with iphone and get "Negotiation with the VPN server failed":
>
> > > ...
> > > Nov  7 10:31:12 14[CFG]   id '<server.wan.ip>' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'
> > > ...
> > > Nov  7 10:31:12 14[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'
> > > ...
> > > Nov  7 10:31:12 14[CFG] left is other host, swapping ends
> > > ...
> > > Nov  7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> > > ...
> > > Nov  7 10:13:56 05[IKE] remote host is behind NAT
> > > ...
> > > Nov  7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful
> > > ...
> > > Nov  7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING => ESTABLISHED
> > > ...
> > > Nov  7 10:13:57 12[IKE] peer requested virtual IP %any
> > > Nov  7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'
> > > ...
> > > Nov  7 10:14:13 05[ENC] parsing HASH_V1 payload finished
> > > Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left
> > > ...
> > > Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload finished
> > > ...
> > > Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED => DELETING
> > > Nov  7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]
> > > Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING => DESTROYING
> > > Nov  7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful
> > > Nov  7 10:14:13 02[NET] waiting for data on sockets
> > > Nov  7 10:14:25 15[JOB] got event, queuing job for execution
> > > Nov  7 10:14:25 15[JOB] next event in 9732s 760ms, waiting
> > > Nov  7 10:14:25 06[MGR] checkout IKE_SA
>
> > > Should I put something else instead of "right=%any" ?
>
>
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSf5LAAAoJEDg5KY9j7GZY4tcP/j8sFGHTqQhh31DpYivsn/df
G2Uf6lUlQ681SrEweJDp9E+mVGTjOcXpAAu7722KJz8IGolXIUGlTOgHc5eKoxNJ
UznKtQAOjqKRXevK7gS7C+94NmiP6IYu1CDmUSLFfFleB+UzcX9whHcnEIuw73mL
mO2AXgPjw8+vu9iT4OzxXdX6Ok0N1R25WSQrQmlRXpERNowUZDZw0ePEMM1vYxQx
4Bz4h5257R8iZ3DEBm1n/ErdQrQya711PhFxyg1bkE/+/yDHHZAVOZBGwkDYZJhy
RkwjqJxQ065bzAYP6Qj+yySbDsTtF170bLCrPqgzUOEIf3XM3wYfme/WCuYEZ9Q0
tOpJatU/NPrq5D5UKRU4m9kTMtDxmDY8Y/QtKnBDr/QWDXyhmY6xyaTac7TvT88R
4+Aozpu78a7kzp26NXkF/M7sRP1b/Fq2HrsQZ+E/vjgU37o2xoAQsmKPEz9CtCaH
BOMTtq+XnRi/EunkdYX/vRcVVK0YqFRqcqFuPK/LYmlf3LTatVpnuVTIZ7LgyHNW
c64MCRAdMyMDPaehLUx8UI43igvg99lBreVAThQFEBR7oI3M4QI9Bexj3OHo9FCk
jQzhuFHcC3EyC7sYM9u6peq276KhlrQJ3qLdE552CKHW4FHeXJCT0xcN+xY5LJlc
CBYN7k4TELDyfZNNOQEj
=vJcM
-----END PGP SIGNATURE-----





More information about the Users mailing list