[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs
Noel Kuntze
noel at familie-kuntze.de
Sun Nov 10 15:38:35 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sorry, it is "iptables -A POSTROUTING -t nat -s 10.0.0.0/24 -o eth0 -j MASQUERADE"
On 10.11.2013 15:05, Noel Kuntze wrote:
>
> Hello Luka,
>
> You need to masquerade the traffic from your iPhone to the LAN or the internet.
> You do this with either the MASQUERADE or the SNAT target in iptables.
> Example: iptables -A FORWARD -t nat -s 10.0.0.0/24 -o eth0 -j MASQUERADE
>
> Regards
> Noel Kuntze
>
> On 10.11.2013 11:50, Luka wrote:
> > Hi.
> > I've found way to fix that error: "iptables: No chain/target/match by that name" by executing command:
>
> > insmod xt_policy
>
>
> > Now when I connect, iPhone gets IP 10.0.0.2 and following policy is added to FORWARD chain:
>
> > Chain FORWARD (policy DROP 0 packets, 0 bytes)
>
> > num pkts bytes target prot opt in out source destination
>
> > 1 0 0 ACCEPT all -- eth0 * 10.0.0.2 0.0.0.0/0 <http://0.0.0.0/0> policy match dir in pol ipsec reqid 1 proto 50
>
> > 2 0 0 ACCEPT all -- * eth0 0.0.0.0/0 <http://0.0.0.0/0> 10.0.0.2 policy match dir out pol ipsec reqid 1 proto 50
>
>
> > I'm using config:
>
> > conn %default
>
> > keyexchange=ikev1 Read the manpage for it
>
> > authby=xauthrsasig
>
> > xauth=server
>
>
>
> > #leftid = subject alt. name (v certifikatu)
>
> > conn ios
>
> > left=%defaultroute
>
> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>
> > leftcert=serverCert.pem
>
> > leftfirewall=yes
>
> But I still can't access my LAN (192.168.2.0/24) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.
>
> I've no idea what else should I try. I give up.
>
> > right=%any
>
> > rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>
> > rightsourceip=10.0.0.2
>
> > auto=add
>
> > rightcert=clientCert.pem
>
>
>
> > But I still can't access my LAN (192.168.2.0/24 <http://192.168.2.0/24>) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.
>
> > I've no idea what else should I try. I give up.
>
>
> > L
>
>
>
>
> > On Thu, Nov 7, 2013 at 11:05 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> > Hello Luka,
>
> > I actually meant the config which you created after I sent you that link [1].
> > I don't know exactly why there are retransmits happening, but in general, the setup should work.
>
> > [1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> > Regards
> > Noel Kuntze
>
> > On 07.11.2013 23:03, Luka wrote:
> >> Ok I've switched back to following configuration and I can connect to VPN again (back to beginning, can connect but can't access LAN behind VPN):
>
> >> conn %default
>
> >> keyexchange=ikev1
>
> >> authby=xauthrsasig
>
> >> xauth=server
>
>
>
> >> conn ios
>
> >> left=86.xx.xx.x35
>
> >> leftcert=serverLupoCert.pem
>
> >> leftsubnet=192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24>
>
> >> leftfirewall=yes
>
> >> right=%any
>
> >> rightsourceip=10.3.0.1
>
> >> auto=add
>
> >> rightcert=clientLupoCert.pem
>
>
> >> Do I have to put server's WAN Ip address for "left" or local IP ?
>
> >> Configuration is simmilar to this one:http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html.
> >> I've checked iptables -L command on that site <http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables> and compared it with mine.
> >> It looks like mine is missing some forwarding rules.
> >> Mine:
>
> >> iptables -L -v -n --line-numbers
>
> >> Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> >> num pkts bytes target prot opt in out source destination
>
> >> 1 236 31088 ACCEPT esp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> >> 2 0 0 ACCEPT udp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> udp dpt:4500
>
> >> 3 196 68288 ACCEPT udp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> udp dpt:500
>
> >> 4 0 0 ACCEPT all -- tun21 * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> >> 5 1138 105K ACCEPT tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> tcp dpt:1194
>
> >> 6 0 0 ACCEPT all -- tun11 * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> >> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>
> >> num pkts bytes target prot opt in out source destination
>
> >> 1 0 0 ACCEPT esp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> >> 2 0 0 ACCEPT all -- tun21 * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> >> 3 5 344 ACCEPT all -- tun11 * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> >> 4 22028 1928K ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> state RELATED,ESTABLISHED
>
> >> 5 0 0 logdrop all -- !br0 eth0 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> >> 6 28 1432 logdrop all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> state INVALID
>
> >> 7 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> >> 8 1344 80640 ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> ctstate DNAT
>
> >> 9 32811 2190K ACCEPT all -- br0 * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> >> Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)
>
> >> num pkts bytes target prot opt in out source destination
>
> >> 1 0 0 ACCEPT esp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> >> Chain FUPNP (0 references)
>
> >> num pkts bytes target prot opt in out source destination
>
>
> >> Chain PControls (0 references)
>
> >> num pkts bytes target prot opt in out source destination
>
> >> 1 0 0 ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> >> Chain logaccept (0 references)
>
> >> num pkts bytes target prot opt in out source destination
>
> >> 1 0 0 LOG all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> state NEW LOG flags 7 level 4 prefix `ACCEPT '
>
> >> 2 0 0 ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> >> Chain logdrop (2 references)
>
> >> num pkts bytes target prot opt in out source destination
>
> >> 1 0 0 LOG all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> state NEW LOG flags 7 level 4 prefix `DROP'
>
> >> 2 28 1432 DROP all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> >> If I understand "leftfirewall=yes" command, it should put those rules into iptables.
>
> >> I've checked charon log file and found this error:
>
> >> cat strongswancharon.log | grep iptables
>
> >> Nov 7 22:59:06 11[CFG] leftupdown=ipsec _updown iptables
>
> >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name
>
> >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name
>
>
> >> Am I missing some modules here or something ?
>
> >> How can I get/log those commands for iptables, that strongswan executes ?
>
>
> >> Thanks.
>
>
>
> >> On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
>
>
> >> Hello Luka,
>
> >> Your former configuration worked just fine. The problem was with the network or similiar. It had nothing to do with strongSwan.
>
> >> Regards
> >> Noel Kuntze
>
> >> On 07.11.2013 10:51, Luka wrote:
> >>> Now I've tried to load modules by hand. I've added following line to strongswan.conf:
> >>> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve attr farp xauth-generic
>
> >>> And if I check charon logs, it looks like it connects and then immediately disconnects from vpn.
> >>> Here are interesting lines from log file, (I connect with iphone and get "Negotiation with the VPN server failed":
>
> >>> ...
> >>> Nov 7 10:31:12 14[CFG] id '<server.wan.ip>' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'
> >>> ...
> >>> Nov 7 10:31:12 14[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'
> >>> ...
> >>> Nov 7 10:31:12 14[CFG] left is other host, swapping ends
> >>> ...
> >>> Nov 7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> >>> ...
> >>> Nov 7 10:13:56 05[IKE] remote host is behind NAT
> >>> ...
> >>> Nov 7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful
> >>> ...
> >>> Nov 7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING => ESTABLISHED
> >>> ...
> >>> Nov 7 10:13:57 12[IKE] peer requested virtual IP %any
> >>> Nov 7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'
> >>> ...
> >>> Nov 7 10:14:13 05[ENC] parsing HASH_V1 payload finished
> >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left
> >>> ...
> >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload finished
> >>> ...
> >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED => DELETING
> >>> Nov 7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]
> >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING => DESTROYING
> >>> Nov 7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful
> >>> Nov 7 10:14:13 02[NET] waiting for data on sockets
> >>> Nov 7 10:14:25 15[JOB] got event, queuing job for execution
> >>> Nov 7 10:14:25 15[JOB] next event in 9732s 760ms, waiting
> >>> Nov 7 10:14:25 06[MGR] checkout IKE_SA
>
> >>> Should I put something else instead of "right=%any" ?
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSf5pqAAoJEDg5KY9j7GZYLIAQAIYouCn2zb960AxcUacljuMd
0Tr6cbKgzJ5U8uhTT1cF41+tptdCXI1iDWfs1MuDbFXefKzU8BZU4N7LyeZKAqCB
22bZL+MCKdQeLLiGiCIXGRAKj2ziFwh1Vw6nz10c31S2HWu1WTQkagq5ztMrunjk
lSwzFYbs4lSERUgQLm+9Gb6GXosch37HfeH8OpOdjM1sQPP4jfP4D/RIapYS25MD
EemFMhoHI3lwspExEQR+zpORVSsAnTgbtwfAcFn4+rZ2gbKlusTmTaLVeoZHYbSU
2o4XFG8bGk37P9WjbXPRzxxiLNy9olh8kdarXaUm3rWygECuYnOXWFkdmGzS0NRv
nl54EyZtX7kOe7H/QA14iocu64C9H66AstUZFmj5e0GBxTcbcWFI7v8hMJBetE1S
4XhPIFhZ297laOPI7/31MlQRWJ12G2GLW4U+/jKe6R5oMA3efUJTUtLvvjP05piS
v4Ioj8Q6G8W5Nb9dxFCD8xILK6D/ytRKZBvDZr5XBgDiZG7NmLpBEi7hv7KmfBLg
ilwlI12CnjmSGQeylV7GOeYm+PoF30nK6w3zYUbLrioTT9NA23VykxscrNVt8E0J
1Yg0wD3nhILEEJgrkHRJhsNFK+IwNuIpVc40pgWzvdAlPUrG5es5bqNUOm8+s68W
X3iUSmYbNrx8FZPSjT1m
=AC2W
-----END PGP SIGNATURE-----
More information about the Users
mailing list