[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs
Luka
Lukapple80 at gmail.com
Wed Nov 13 21:27:52 CET 2013
Hi Noel.
My postrouting chain contains following entries:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.0.0/24 anywhere
MASQUERADE all -- 192.168.2.0/24 anywhere
MASQUERADE all -- !cpe-86-xx-xxx-xxx.static.xxx.net anywhere
MASQUERADE all -- anywhere anywhere MARK match
0xd001
I've tried to log all packages in different chains (see part of log at
bottom) and I didn't find any traces of virtual IP (10.0.0.2), just iPhones
wan IP and server wan IP. Is that OK ?
I've tried:
iptables -I INPUT -j LOG --log-prefix "Luka-log: "
Part of logs(IPs are replaced with "x", 46.x is iPhone IP and 86.x is
server external IP):
Nov 13 19:21:34 vpn: + C=SI, O=Lupo, CN=clientLupo 10.0.0.2/32 == 46.x.x.x
-- 86.x.x.x == %any/0
...
Nov 13 19:22:06 kernel: Luka-log: <4>Luka-log: IN=eth0 OUT=
MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x
<1>LEN=136 TOS=0x00 PREC=0x00 TTL=56 ID=25376 PROTO=ESP SPI=0xc1155ce9
...
Nov 13 19:22:07 kernel: Luka-log: <4>Luka-log: IN=eth0 OUT=
MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x
<1>LEN=136 TOS=0x00 PREC=0x00 TTL=56 ID=23923 PROTO=ESP SPI=0xc1155ce9
...
iptables -I PREROUTING -j LOG --log-prefix "Luka-log(nat-PREROUTING): " -t
nat
Logs:
...(2 or 3 packages of this type)
Nov 13 20:54:52 kernel: Luka-log(nat-PREROUTING):
<4>Luka-log(nat-PREROUTING): IN=eth0 OUT=
MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x
<1>LEN=696 TOS=0x00 PREC=0x00 TTL=56 ID=58415 PROTO=UDP <1>SPT=500 DPT=500
LEN=676
...
iptables -I FORWARD -j LOG --log-prefix "Luka-log(nat-FORWARD): "
Logs: vpn logs not found
iptables -I POSTROUTING -j LOG --log-prefix "Luka-POSTROUTING-MASQUERADE:
" -t nat -s 10.0.0.0/24
Logs: vpn logs not found
Any idea what else should I check ?
Luka
On Sun, Nov 10, 2013 at 5:02 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Luka,
>
> What other rules do you have in the POSTROUTING chain? If any other rule
> removes the packets from the chain, then they don't reach the MASQUERADE
> rule and hence
> won't get masqueraded.
>
> The rule basicly says: If the traffic is going out on the eth0 interface
> and the source is 10.0.0.0/24 and the destination ist 0.0.0.0/0, then
> masquerade it.
> Masquerade basicly means NAT, but it will replace the source IP of the
> traffic based on the interface it's going out.
> No, the parameters that are displayed in the first couple of columns are
> just filters that restrict traffic going to the target.
> For further clarification, I recomment you read the manpage for iptables
> and iptables-extensions (if the latter exists on your system. It does on
> Arch Linux.).
> For your setup, I recomment you ommit -o eth0 and INSERT, and not APPEND
> the rule to the chain.
> Example: iptables -I POSTROUTING 1 -s 10.0.0.0/24 -j MASQUERADE
>
> Regards
> Noel Kuntze
>
> On 10.11.2013 16:31, Luka wrote:
> >
> > Hi Noel.
> >
> > Still no luck.
> >
> > I’ve added masquerade, following line is added to nat iptable:
> >
> > Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> > …
> >
> > 4 0 0 MASQUERADE all -- * eth0 10.0.0.0/24 <
> http://10.0.0.0/24> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > What exactly does this masquerade record means ? Probably that all
> packets from 10.0.0.0/24 <http://10.0.0.0/24> network that have
> any(0.0.0.0) destination will get IP address of eth0 device ?
> >
> > But eth0 is device with external IP of server (86.58.x.x) (see ifconfig
> output below), should I use br0 device here (the one with local IP of
> router) ?
> >
> >
> > Ok, if I sum up my situation:
> >
> > CLIENT(iPhone):
> >
> > - I can connect to IPsec(strongswan)
> >
> > - gets virtual IP Address: 10.0.0.2
> >
> >
> > SERVER (strongswan v5.0.4, on my router, Linux 2.6.22.19):
> >
> > - local IP: 192.168.2.1
> >
> > - external IP 86.58.x.x
> >
> > ipsec statusall:
> >
> > Virtual IP pools (size/online/offline):
> >
> > 10.0.0.2 <http://10.0.0.2>: 1/1/0
> >
> > Listening IP addresses:
> >
> > 86.58.x.x
> >
> > 192.168.2.1
> >
> >
> > Security Associations (1 up, 0 connecting):
> >
> > ios[2]: ESTABLISHED 19 seconds ago, 86.58.x.x[C=SI, O=Lupo,
> CN=86.58.x.x]…46.123.x.x[C=SI, O=Lupo, CN=clientLupo]
> >
> > ios[2]: Remote XAuth identity: lupo
> >
> > ios[2]: IKEv1 SPIs: cd789eae5d666586_i 638f1ca174f85726_r*,
> public key reauthentication in 2 hours
> >
> > ios[2]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> >
> > ios{1}: INSTALLED, TUNNEL, ESP SPIs: c7f2d740_i 0829cc4a_o
> >
> > ios{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 45 minutes
> >
> > ios{1}: 0.0.0.0/0 <http://0.0.0.0/0> === 10.0.0.2/32 <
> http://10.0.0.2/32>
> >
> >
> > iptables:
> >
> > This entries are added to FORWARD chain after I connect to server:
> >
> >
> > Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> > 1 0 0 ACCEPT all -- eth0 * 10.0.0.2
> 0.0.0.0/0 <http://0.0.0.0/0> policy match dir in pol ipsec
> reqid 2 proto 50
> >
> > 2 0 0 ACCEPT all -- * eth0 0.0.0.0/0 <
> http://0.0.0.0/0> 10.0.0.2 policy match dir out pol
> ipsec reqid 2 proto 50
> >
> >
> > iptables(nat table):
> >
> > Chain PREROUTING (policy ACCEPT 4188 packets, 599K bytes)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> > 1 1 60 ACCEPT tcp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp
> dpt:1194
> >
> > 2 305 54089 VSERVER all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 86.58.x.x
> >
> >
> > Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> > 1 0 0 MASQUERADE all -- * tun11 192.168.2.0/24 <
> http://192.168.2.0/24> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > 2 731 46984 MASQUERADE all -- * eth0 !86.58.x.x
> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > 3 0 0 MASQUERADE all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> MARK
> match 0xd001
> >
> > 4 0 0 MASQUERADE all -- * eth0 10.0.0.0/24 <
> http://10.0.0.0/24> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > Chain OUTPUT (policy ACCEPT 2489 packets, 220K bytes)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> >
> > Chain LOCALSRV (0 references)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> >
> > Chain VSERVER (1 references)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> > 1 1 123 DNAT tcp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp
> dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194>
> >
> > 2 0 0 DNAT udp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> udp
> dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194>
> >
> > 3 304 53966 VUPNP all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > Chain VUPNP (1 references)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> >
> > Chain YADNS (0 references)
> >
> > num pkts bytes target prot opt in out source
> destination
> >
> >
> >
> > ifconfig:
> >
> > br0 Link encap:Ethernet HWaddr 30:85:A9:E6:EF:A0
> >
> > inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
> >
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >
> > RX packets:20577 errors:0 dropped:0 overruns:0 frame:0
> >
> > TX packets:16212 errors:0 dropped:0 overruns:0 carrier:0
> >
> > collisions:0 txqueuelen:0
> >
> > RX bytes:7597057 (7.2 MiB) TX bytes:2892960 (2.7 MiB)
> >
> >
> > eth0 Link encap:Ethernet HWaddr 30:85:A9:E6:EF:A0
> >
> > inet addr:86.58.x.x Bcast:86.58.y.y Mask:255.255.255.0
> >
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >
> > RX packets:665392 errors:0 dropped:0 overruns:0 frame:0
> >
> > TX packets:1473423 errors:0 dropped:0 overruns:0 carrier:0
> >
> > collisions:0 txqueuelen:1000
> >
> > RX bytes:83612848 (79.7 MiB) TX bytes:1996770618 (1.8 GiB)
> >
> > Interrupt:4 Base address:0x2000
> >
> > ...
> >
> > btw, should tunnel, that is created by strongswan, appear in this
> ifconfig list ?
> >
> >
> > I’m probably missing another piece of puzzle.
> >
> > Is there any other log file except strongswan log, that should I examine
> ?
> >
> >
> > Thanks
> >
> > Luka
> >
> >
> >
> > On Sun, Nov 10, 2013 at 3:38 PM, Noel Kuntze <noel at familie-kuntze.de<mailto:
> noel at familie-kuntze.de>> wrote:
> >
> >
> > Sorry, it is "iptables -A POSTROUTING -t nat -s 10.0.0.0/24 <
> http://10.0.0.0/24> -o eth0 -j MASQUERADE"
> > On 10.11.2013 15:05, Noel Kuntze wrote:
> >
> > > Hello Luka,
> >
> > > You need to masquerade the traffic from your iPhone to the LAN or the
> internet.
> > > You do this with either the MASQUERADE or the SNAT target in iptables.
> > > Example: iptables -A FORWARD -t nat -s 10.0.0.0/24 <http://10.0.0.0/24>
> -o eth0 -j MASQUERADE
> >
> > > Regards
> > > Noel Kuntze
> >
> > > On 10.11.2013 11:50, Luka wrote:
> > > > Hi.
> > > > I've found way to fix that error: "iptables: No chain/target/match
> by that name" by executing command:
> >
> > > > insmod xt_policy
> >
> >
> > > > Now when I connect, iPhone gets IP 10.0.0.2 and following policy is
> added to FORWARD chain:
> >
> > > > Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >
> > > > num pkts bytes target prot opt in out source
> destination
> >
> > > > 1 0 0 ACCEPT all -- eth0 * 10.0.0.2
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> policy
> match dir in pol ipsec reqid 1 proto 50
> >
> > > > 2 0 0 ACCEPT all -- * eth0 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> 10.0.0.2
> policy match dir out pol ipsec reqid 1 proto 50
> >
> >
> > > > I'm using config:
> >
> > > > conn %default
> >
> > > > keyexchange=ikev1
> Read the manpage for it
> >
> > > > authby=xauthrsasig
> >
> > > > xauth=server
> >
> >
> >
> > > > #leftid = subject alt. name (v certifikatu)
> >
> > > > conn ios
> >
> > > > left=%defaultroute
> >
> > > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > > leftcert=serverCert.pem
> >
> > > > leftfirewall=yes
> >
> > > But I still can't access my LAN (192.168.2.0/24 <http://192.168.2.0/24>)
> or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.
> >
> > > I've no idea what else should I try. I give up.
> >
> > > > right=%any
> >
> > > > rightsubnet=10.0.0.0/24 <http://10.0.0.0/24> <
> http://10.0.0.0/24>
> >
> > > > rightsourceip=10.0.0.2
> >
> > > > auto=add
> >
> > > > rightcert=clientCert.pem
> >
> >
> >
> > > > But I still can't access my LAN (192.168.2.0/24 <
> http://192.168.2.0/24> <http://192.168.2.0/24>) or ping router
> 192.168.2.1 or ping phone virtual IP 10.0.0.2.
> >
> > > > I've no idea what else should I try. I give up.
> >
> >
> > > > L
> >
> >
> >
> >
> > > > On Thu, Nov 7, 2013 at 11:05 PM, Noel Kuntze <noel at familie-kuntze.de<mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>> wrote:
> >
> >
> > > > Hello Luka,
> >
> > > > I actually meant the config which you created after I sent you that
> link [1].
> > > > I don't know exactly why there are retransmits happening, but in
> general, the setup should work.
> >
> > > > [1]
> http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> >
> > > > Regards
> > > > Noel Kuntze
> >
> > > > On 07.11.2013 23:03, Luka wrote:
> > > >> Ok I've switched back to following configuration and I can connect
> to VPN again (back to beginning, can connect but can't access LAN behind
> VPN):
> >
> > > >> conn %default
> >
> > > >> keyexchange=ikev1
> >
> > > >> authby=xauthrsasig
> >
> > > >> xauth=server
> >
> >
> >
> > > >> conn ios
> >
> > > >> left=86.xx.xx.x35
> >
> > > >> leftcert=serverLupoCert.pem
> >
> > > >> leftsubnet=192.168.2.0/24 <http://192.168.2.0/24> <
> http://192.168.2.0/24> <http://192.168.2.0/24>
> >
> > > >> leftfirewall=yes
> >
> > > >> right=%any
> >
> > > >> rightsourceip=10.3.0.1
> >
> > > >> auto=add
> >
> > > >> rightcert=clientLupoCert.pem
> >
> >
> > > >> Do I have to put server's WAN Ip address for "left" or local IP ?
> >
> > > >> Configuration is simmilar to this one:
> http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html
> .
> > > >> I've checked iptables -L command on that site <
> http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables>
> and compared it with mine.
> > > >> It looks like mine is missing some forwarding rules.
> > > >> Mine:
> >
> > > >> iptables -L -v -n --line-numbers
> >
> > > >> Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)
> http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> >
> > > >> num pkts bytes target prot opt in out source
> destination
> >
> > > >> 1 236 31088 ACCEPT esp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > >> 2 0 0 ACCEPT udp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> udp dpt:4500
> >
> > > >> 3 196 68288 ACCEPT udp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> udp dpt:500
> >
> > > >> 4 0 0 ACCEPT all -- tun21 * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > >> 5 1138 105K ACCEPT tcp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> tcp dpt:1194
> >
> > > >> 6 0 0 ACCEPT all -- tun11 * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> >
> > > >> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >
> > > >> num pkts bytes target prot opt in out source
> destination
> >
> > > >> 1 0 0 ACCEPT esp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > >> 2 0 0 ACCEPT all -- tun21 * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > >> 3 5 344 ACCEPT all -- tun11 * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > >> 4 22028 1928K ACCEPT all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> state RELATED,ESTABLISHED
> >
> > > >> 5 0 0 logdrop all -- !br0 eth0 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > >> 6 28 1432 logdrop all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> state INVALID
> >
> > > >> 7 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > >> 8 1344 80640 ACCEPT all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> ctstate DNAT
> >
> > > >> 9 32811 2190K ACCEPT all -- br0 * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> >
> > > >> Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)
> >
> > > >> num pkts bytes target prot opt in out source
> destination
> >
> > > >> 1 0 0 ACCEPT esp -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> >
> > > >> Chain FUPNP (0 references)
> >
> > > >> num pkts bytes target prot opt in out source
> destination
> >
> >
> > > >> Chain PControls (0 references)
> >
> > > >> num pkts bytes target prot opt in out source
> destination
> >
> > > >> 1 0 0 ACCEPT all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> >
> > > >> Chain logaccept (0 references)
> >
> > > >> num pkts bytes target prot opt in out source
> destination
> >
> > > >> 1 0 0 LOG all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> state NEW LOG flags 7 level 4 prefix `ACCEPT '
> >
> > > >> 2 0 0 ACCEPT all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> >
> > > >> Chain logdrop (2 references)
> >
> > > >> num pkts bytes target prot opt in out source
> destination
> >
> > > >> 1 0 0 LOG all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> state NEW LOG flags 7 level 4 prefix `DROP'
> >
> > > >> 2 28 1432 DROP all -- * * 0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> >
> > > >> If I understand "leftfirewall=yes" command, it should put those
> rules into iptables.
> >
> > > >> I've checked charon log file and found this error:
> >
> > > >> cat strongswancharon.log | grep iptables
> >
> > > >> Nov 7 22:59:06 11[CFG] leftupdown=ipsec _updown iptables
> >
> > > >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by
> that name
> >
> > > >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by
> that name
> >
> >
> > > >> Am I missing some modules here or something ?
> >
> > > >> How can I get/log those commands for iptables, that strongswan
> executes ?
> >
> >
> > > >> Thanks.
> >
> >
> >
> > > >> On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <noel at familie-kuntze.de<mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>>> wrote:
> >
> >
> > > >> Hello Luka,
> >
> > > >> Your former configuration worked just fine. The problem was with
> the network or similiar. It had nothing to do with strongSwan.
> >
> > > >> Regards
> > > >> Noel Kuntze
> >
> > > >> On 07.11.2013 10:51, Luka wrote:
> > > >>> Now I've tried to load modules by hand. I've added following line
> to strongswan.conf:
> > > >>> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509
> revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
> attr farp xauth-generic
> >
> > > >>> And if I check charon logs, it looks like it connects and then
> immediately disconnects from vpn.
> > > >>> Here are interesting lines from log file, (I connect with iphone
> and get "Negotiation with the VPN server failed":
> >
> > > >>> ...
> > > >>> Nov 7 10:31:12 14[CFG] id '<server.wan.ip>' not confirmed by
> certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'
> > > >>> ...
> > > >>> Nov 7 10:31:12 14[CFG] id '%any' not confirmed by certificate,
> defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'
> > > >>> ...
> > > >>> Nov 7 10:31:12 14[CFG] left is other host, swapping ends
> > > >>> ...
> > > >>> Nov 7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED
> => CONNECTING
> > > >>> ...
> > > >>> Nov 7 10:13:56 05[IKE] remote host is behind NAT
> > > >>> ...
> > > >>> Nov 7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful
> > > >>> ...
> > > >>> Nov 7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING =>
> ESTABLISHED
> > > >>> ...
> > > >>> Nov 7 10:13:57 12[IKE] peer requested virtual IP %any
> > > >>> Nov 7 10:13:57 12[IKE] no virtual IP found for %any requested by
> 'lupo'
> > > >>> ...
> > > >>> Nov 7 10:14:13 05[ENC] parsing HASH_V1 payload finished
> > > >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left
> > > >>> ...
> > > >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload finished
> > > >>> ...
> > > >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED =>
> DELETING
> > > >>> Nov 7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]
> > > >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING =>
> DESTROYING
> > > >>> Nov 7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful
> > > >>> Nov 7 10:14:13 02[NET] waiting for data on sockets
> > > >>> Nov 7 10:14:25 15[JOB] got event, queuing job for execution
> > > >>> Nov 7 10:14:25 15[JOB] next event in 9732s 760ms, waiting
> > > >>> Nov 7 10:14:25 06[MGR] checkout IKE_SA
> >
> > > >>> Should I put something else instead of "right=%any" ?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSf64LAAoJEDg5KY9j7GZYwV0QAJOdf6h+ub20kurhfoyCTypv
> fuKNs22i4batpPoSRyxI+f2PcLE0ojos6FF1aR3BRdQbWhGwe8nZHxVT2eOiCdPV
> 4+J/EBfXRG+uKhKCrBJWqZdcmCenJmb2kfG0e0DxO2FWmqvh/r5YyS1zz7IM6e0B
> WQg4d8UaKxSvso6XRDLJErscqHxeUx57QtLk03/boz75fmwGq75l7LlGDjt6PMJ5
> EC97ipXgdf5tZj7OfEHM4p9UYzzjBuGq6RdFtX1SiZMhAKCJGp8I33yGs92hJhUG
> gF+C735qwJlz9WXKS7pIHeyjekCOUQpmn4UEcJBwP+sVPQowfTWLttH6FtcRAPHM
> M9st8xTfabOhlqjU/AZ9ws8FvojDN2fLcfhoHkkycbcXgcTBdm8oEiakHju7PUaW
> JUazZD9xxFgQrCEuLATBlwi3YT5Nph8JiAHBfSJ2qnI55/2uU806w+GcKG+Jna9q
> qRFGKWUQi1OF9KSjzfzgHMLxyPmVc1xYGH8rxviN7p9zsJqpRZx/rMXunrgSGpVy
> IY5+bJv8+qWqbBjz2mzL5RS3OjWBD5163gZPE68eVxYJQzs1SvUv6EntDS5kPag+
> KadLEyabq1zo+MAC5TIsucfSTrDjU/iBTtOzKO4gqDoaBe8gNX+ZdGccjqSMJJpt
> GBYSeSk0qahEDa8nL9jN
> =uJPU
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131113/72ce6198/attachment.html>
More information about the Users
mailing list