[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs
Noel Kuntze
noel at familie-kuntze.de
Wed Nov 13 22:15:41 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Luka,
Yes, this is all okay.
Does the traffic counters, you see when you do "ipsec statusall", increase when you try to communicate with your LAN?
Regards
Noel Kuntze
On 13.11.2013 22:11, Luka wrote:
> IP forward is enabled. I can't find sysctl command, but following command prints 1(=enabled):
> cat /proc/sys/net/ipv4/ip_forward
> 1
>
> Tunnel printed in "ipsec statusall" command looks like this:
>
> Security Associations (1 up, 0 connecting):
>
> ...
>
> ios{1}: 0.0.0.0/0 <http://0.0.0.0/0> === 10.0.0.2/32 <http://10.0.0.2/32>
>
>
> Is this ok ?
>
>
>
>
> On Wed, Nov 13, 2013 at 9:48 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Luka,
>
> Is IP forwarding activated? if it isn't, then activate it.
> Getting the IP packets from the tunnel to your LAN is probably the problem.
>
> Regards
> Noel Kuntze
>
> On 13.11.2013 21:27, Luka wrote:
> > Hi Noel.
> > My postrouting chain contains following entries:
>
> > Chain POSTROUTING (policy ACCEPT)
>
> > target prot opt source destination
>
> > MASQUERADE all -- 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> anywhere
>
> > MASQUERADE all -- 192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24> anywhere
>
> > MASQUERADE all -- !cpe-86-xx-xxx-xxx.static.xxx.net <http://cpe-86-xx-xxx-xxx.static.xxx.net> <http://cpe-86-xx-xxx-xxx.static.xxx.net> anywhere
>
> > MASQUERADE all -- anywhere anywhere MARK match 0xd001
>
>
> > I've tried to log all packages in different chains (see part of log at bottom) and I didn't find any traces of virtual IP (10.0.0.2), just iPhones wan IP and server wan IP. Is that OK ?
>
>
> > I've tried:
>
> > iptables -I INPUT -j LOG --log-prefix "Luka-log: "
>
> > Part of logs(IPs are replaced with "x", 46.x is iPhone IP and 86.x is server external IP):
>
> > Nov 13 19:21:34 vpn: + C=SI, O=Lupo, CN=clientLupo 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> == 46.x.x.x -- 86.x.x.x == %any/0
>
> > ...
>
> > Nov 13 19:22:06 kernel: Luka-log: <4>Luka-log: IN=eth0 OUT= MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x <1>LEN=136 TOS=0x00 PREC=0x00 TTL=56 ID=25376 PROTO=ESP SPI=0xc1155ce9
>
> > ...
>
> > Nov 13 19:22:07 kernel: Luka-log: <4>Luka-log: IN=eth0 OUT= MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x <1>LEN=136 TOS=0x00 PREC=0x00 TTL=56 ID=23923 PROTO=ESP SPI=0xc1155ce9
>
> > ...
>
>
>
> > iptables -I PREROUTING -j LOG --log-prefix "Luka-log(nat-PREROUTING): " -t nat
>
> > Logs:
>
> > ...(2 or 3 packages of this type)
>
> > Nov 13 20:54:52 kernel: Luka-log(nat-PREROUTING): <4>Luka-log(nat-PREROUTING): IN=eth0 OUT= MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x <1>LEN=696 TOS=0x00 PREC=0x00 TTL=56 ID=58415 PROTO=UDP <1>SPT=500 DPT=500 LEN=676
>
> > ...
>
>
> > iptables -I FORWARD -j LOG --log-prefix "Luka-log(nat-FORWARD): "
>
> > Logs: vpn logs not found
>
>
> > iptables -I POSTROUTING -j LOG --log-prefix "Luka-POSTROUTING-MASQUERADE: " -t nat -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
>
> > Logs: vpn logs not found
>
>
> > Any idea what else should I check ?
>
>
> > Luka
>
>
>
> > On Sun, Nov 10, 2013 at 5:02 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
>
>
> > Hello Luka,
>
> > What other rules do you have in the POSTROUTING chain? If any other rule removes the packets from the chain, then they don't reach the MASQUERADE rule and hence
> > won't get masqueraded.
>
> > The rule basicly says: If the traffic is going out on the eth0 interface and the source is 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> and the destination ist 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>, then masquerade it.
> > Masquerade basicly means NAT, but it will replace the source IP of the traffic based on the interface it's going out.
> > No, the parameters that are displayed in the first couple of columns are just filters that restrict traffic going to the target.
> > For further clarification, I recomment you read the manpage for iptables and iptables-extensions (if the latter exists on your system. It does on Arch Linux.).
> > For your setup, I recomment you ommit -o eth0 and INSERT, and not APPEND the rule to the chain.
> > Example: iptables -I POSTROUTING 1 -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -j MASQUERADE
>
> > Regards
> > Noel Kuntze
>
> > On 10.11.2013 16:31, Luka wrote:
>
> > > Hi Noel.
>
> > > Still no luck.
>
> > > I’ve added masquerade, following line is added to nat iptable:
>
> > > Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)
>
> > > num pkts bytes target prot opt in out source destination
>
> > > …
>
> > > 4 0 0 MASQUERADE all -- * eth0 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > > What exactly does this masquerade record means ? Probably that all packets from 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> network that have any(0.0.0.0) destination will get IP address of eth0 device ?
>
> > > But eth0 is device with external IP of server (86.58.x.x) (see ifconfig output below), should I use br0 device here (the one with local IP of router) ?
>
>
> > > Ok, if I sum up my situation:
>
> > > CLIENT(iPhone):
>
> > > - I can connect to IPsec(strongswan)
>
> > > - gets virtual IP Address: 10.0.0.2
>
>
> > > SERVER (strongswan v5.0.4, on my router, Linux 2.6.22.19):
>
> > > - local IP: 192.168.2.1
>
> > > - external IP 86.58.x.x
>
> > > ipsec statusall:
>
> > > Virtual IP pools (size/online/offline):
>
> > > 10.0.0.2 <http://10.0.0.2>: 1/1/0
>
> > > Listening IP addresses:
>
> > > 86.58.x.x
>
> > > 192.168.2.1
>
>
> > > Security Associations (1 up, 0 connecting):
>
> > > ios[2]: ESTABLISHED 19 seconds ago, 86.58.x.x[C=SI, O=Lupo, CN=86.58.x.x]…46.123.x.x[C=SI, O=Lupo, CN=clientLupo]
>
> > > ios[2]: Remote XAuth identity: lupo
>
> > > ios[2]: IKEv1 SPIs: cd789eae5d666586_i 638f1ca174f85726_r*, public key reauthentication in 2 hours
>
> > > ios[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>
> > > ios{1}: INSTALLED, TUNNEL, ESP SPIs: c7f2d740_i 0829cc4a_o
>
> > > ios{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes
>
> > > ios{1}: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> === 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> <http://10.0.0.2/32>
>
>
> > > iptables:
>
> > > This entries are added to FORWARD chain after I connect to server:
>
>
> > > Chain FORWARD (policy DROP 0 packets, 0 bytes)
>
> > > num pkts bytes target prot opt in out source destination
>
> > > 1 0 0 ACCEPT all -- eth0 * 10.0.0.2 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> policy match dir in pol ipsec reqid 2 proto 50
>
> > > 2 0 0 ACCEPT all -- * eth0 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 10.0.0.2 policy match dir out pol ipsec reqid 2 proto 50
>
>
> > > iptables(nat table):
>
> > > Chain PREROUTING (policy ACCEPT 4188 packets, 599K bytes)
>
> > > num pkts bytes target prot opt in out source destination
>
> > > 1 1 60 ACCEPT tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> tcp dpt:1194
>
> > > 2 305 54089 VSERVER all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 86.58.x.x
>
>
> > > Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)
>
> > > num pkts bytes target prot opt in out source destination
>
> > > 1 0 0 MASQUERADE all -- * tun11 192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > 2 731 46984 MASQUERADE all -- * eth0 !86.58.x.x 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > 3 0 0 MASQUERADE all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> MARK match 0xd001
>
> > > 4 0 0 MASQUERADE all -- * eth0 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > > Chain OUTPUT (policy ACCEPT 2489 packets, 220K bytes)
>
> > > num pkts bytes target prot opt in out source destination
>
>
> > > Chain LOCALSRV (0 references)
>
> > > num pkts bytes target prot opt in out source destination
>
>
> > > Chain VSERVER (1 references)
>
> > > num pkts bytes target prot opt in out source destination
>
> > > 1 1 123 DNAT tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> tcp dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194> <http://192.168.2.100:1194> <http://192.168.2.100:1194>
>
> > > 2 0 0 DNAT udp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> udp dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194> <http://192.168.2.100:1194> <http://192.168.2.100:1194>
>
> > > 3 304 53966 VUPNP all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > > Chain VUPNP (1 references)
>
> > > num pkts bytes target prot opt in out source destination
>
>
> > > Chain YADNS (0 references)
>
> > > num pkts bytes target prot opt in out source destination
>
>
>
> > > ifconfig:
>
> > > br0 Link encap:Ethernet HWaddr 30:85:A9:E6:EF:A0
>
> > > inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
>
> > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> > > RX packets:20577 errors:0 dropped:0 overruns:0 frame:0
>
> > > TX packets:16212 errors:0 dropped:0 overruns:0 carrier:0
>
> > > collisions:0 txqueuelen:0
>
> > > RX bytes:7597057 (7.2 MiB) TX bytes:2892960 (2.7 MiB)
>
>
> > > eth0 Link encap:Ethernet HWaddr 30:85:A9:E6:EF:A0
>
> > > inet addr:86.58.x.x Bcast:86.58.y.y Mask:255.255.255.0
>
> > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> > > RX packets:665392 errors:0 dropped:0 overruns:0 frame:0
>
> > > TX packets:1473423 errors:0 dropped:0 overruns:0 carrier:0
>
> > > collisions:0 txqueuelen:1000
>
> > > RX bytes:83612848 (79.7 MiB) TX bytes:1996770618 (1.8 GiB)
>
> > > Interrupt:4 Base address:0x2000
>
> > > ...
>
> > > btw, should tunnel, that is created by strongswan, appear in this ifconfig list ?
>
>
> > > I’m probably missing another piece of puzzle.
>
> > > Is there any other log file except strongswan log, that should I examine ?
>
>
> > > Thanks
>
> > > Luka
>
>
>
> > > On Sun, Nov 10, 2013 at 3:38 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> wrote:
>
>
> > > Sorry, it is "iptables -A POSTROUTING -t nat -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> -o eth0 -j MASQUERADE"
> > > On 10.11.2013 15:05, Noel Kuntze wrote:
>
> > > > Hello Luka,
>
> > > > You need to masquerade the traffic from your iPhone to the LAN or the internet.
> > > > You do this with either the MASQUERADE or the SNAT target in iptables.
> > > > Example: iptables -A FORWARD -t nat -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> -o eth0 -j MASQUERADE
>
> > > > Regards
> > > > Noel Kuntze
>
> > > > On 10.11.2013 11:50, Luka wrote:
> > > > > Hi.
> > > > > I've found way to fix that error: "iptables: No chain/target/match by that name" by executing command:
>
> > > > > insmod xt_policy
>
>
> > > > > Now when I connect, iPhone gets IP 10.0.0.2 and following policy is added to FORWARD chain:
>
> > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes)
>
> > > > > num pkts bytes target prot opt in out source destination
>
> > > > > 1 0 0 ACCEPT all -- eth0 * 10.0.0.2 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> policy match dir in pol ipsec reqid 1 proto 50
>
> > > > > 2 0 0 ACCEPT all -- * eth0 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 10.0.0.2 policy match dir out pol ipsec reqid 1 proto 50
>
>
> > > > > I'm using config:
>
> > > > > conn %default
>
> > > > > keyexchange=ikev1 Read the manpage for it
>
> > > > > authby=xauthrsasig
>
> > > > > xauth=server
>
>
>
> > > > > #leftid = subject alt. name (v certifikatu)
>
> > > > > conn ios
>
> > > > > left=%defaultroute
>
> > > > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > > > leftcert=serverCert.pem
>
> > > > > leftfirewall=yes
>
> > > > But I still can't access my LAN (192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24>) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.
>
> > > > I've no idea what else should I try. I give up.
>
> > > > > right=%any
>
> > > > > rightsubnet=10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24>
>
> > > > > rightsourceip=10.0.0.2
>
> > > > > auto=add
>
> > > > > rightcert=clientCert.pem
>
>
>
> > > > > But I still can't access my LAN (192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24>) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.
>
> > > > > I've no idea what else should I try. I give up.
>
>
> > > > > L
>
>
>
>
> > > > > On Thu, Nov 7, 2013 at 11:05 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>>> wrote:
>
>
> > > > > Hello Luka,
>
> > > > > I actually meant the config which you created after I sent you that link [1].
> > > > > I don't know exactly why there are retransmits happening, but in general, the setup should work.
>
> > > > > [1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> > > > > Regards
> > > > > Noel Kuntze
>
> > > > > On 07.11.2013 23:03, Luka wrote:
> > > > >> Ok I've switched back to following configuration and I can connect to VPN again (back to beginning, can connect but can't access LAN behind VPN):
>
> > > > >> conn %default
>
> > > > >> keyexchange=ikev1
>
> > > > >> authby=xauthrsasig
>
> > > > >> xauth=server
>
>
>
> > > > >> conn ios
>
> > > > >> left=86.xx.xx.x35
>
> > > > >> leftcert=serverLupoCert.pem
>
> > > > >> leftsubnet=192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24>
>
> > > > >> leftfirewall=yes
>
> > > > >> right=%any
>
> > > > >> rightsourceip=10.3.0.1
>
> > > > >> auto=add
>
> > > > >> rightcert=clientLupoCert.pem
>
>
> > > > >> Do I have to put server's WAN Ip address for "left" or local IP ?
>
> > > > >> Configuration is simmilar to this one:http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html.
> > > > >> I've checked iptables -L command on that site <http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables> and compared it with mine.
> > > > >> It looks like mine is missing some forwarding rules.
> > > > >> Mine:
>
> > > > >> iptables -L -v -n --line-numbers
>
> > > > >> Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> > > > >> num pkts bytes target prot opt in out source destination
>
> > > > >> 1 236 31088 ACCEPT esp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > > >> 2 0 0 ACCEPT udp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> udp dpt:4500
>
> > > > >> 3 196 68288 ACCEPT udp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> udp dpt:500
>
> > > > >> 4 0 0 ACCEPT all -- tun21 * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > > >> 5 1138 105K ACCEPT tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> tcp dpt:1194
>
> > > > >> 6 0 0 ACCEPT all -- tun11 * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > > > >> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>
> > > > >> num pkts bytes target prot opt in out source destination
>
> > > > >> 1 0 0 ACCEPT esp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > > >> 2 0 0 ACCEPT all -- tun21 * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > > >> 3 5 344 ACCEPT all -- tun11 * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > > >> 4 22028 1928K ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> state RELATED,ESTABLISHED
>
> > > > >> 5 0 0 logdrop all -- !br0 eth0 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > > >> 6 28 1432 logdrop all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> state INVALID
>
> > > > >> 7 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
> > > > >> 8 1344 80640 ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> ctstate DNAT
>
> > > > >> 9 32811 2190K ACCEPT all -- br0 * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > > > >> Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)
>
> > > > >> num pkts bytes target prot opt in out source destination
>
> > > > >> 1 0 0 ACCEPT esp -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > > > >> Chain FUPNP (0 references)
>
> > > > >> num pkts bytes target prot opt in out source destination
>
>
> > > > >> Chain PControls (0 references)
>
> > > > >> num pkts bytes target prot opt in out source destination
>
> > > > >> 1 0 0 ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > > > >> Chain logaccept (0 references)
>
> > > > >> num pkts bytes target prot opt in out source destination
>
> > > > >> 1 0 0 LOG all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> state NEW LOG flags 7 level 4 prefix `ACCEPT '
>
> > > > >> 2 0 0 ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > > > >> Chain logdrop (2 references)
>
> > > > >> num pkts bytes target prot opt in out source destination
>
> > > > >> 1 0 0 LOG all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> state NEW LOG flags 7 level 4 prefix `DROP'
>
> > > > >> 2 28 1432 DROP all -- * * 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>
>
> > > > >> If I understand "leftfirewall=yes" command, it should put those rules into iptables.
>
> > > > >> I've checked charon log file and found this error:
>
> > > > >> cat strongswancharon.log | grep iptables
>
> > > > >> Nov 7 22:59:06 11[CFG] leftupdown=ipsec _updown iptables
>
> > > > >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name
>
> > > > >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name
>
>
> > > > >> Am I missing some modules here or something ?
>
> > > > >> How can I get/log those commands for iptables, that strongswan executes ?
>
>
> > > > >> Thanks.
>
>
>
> > > > >> On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de
<mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>>>> wrote:
>
>
> > > > >> Hello Luka,
>
> > > > >> Your former configuration worked just fine. The problem was with the network or similiar. It had nothing to do with strongSwan.
>
> > > > >> Regards
> > > > >> Noel Kuntze
>
> > > > >> On 07.11.2013 10:51, Luka wrote:
> > > > >>> Now I've tried to load modules by hand. I've added following line to strongswan.conf:
> > > > >>> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve attr farp xauth-generic
>
> > > > >>> And if I check charon logs, it looks like it connects and then immediately disconnects from vpn.
> > > > >>> Here are interesting lines from log file, (I connect with iphone and get "Negotiation with the VPN server failed":
>
> > > > >>> ...
> > > > >>> Nov 7 10:31:12 14[CFG] id '<server.wan.ip>' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'
> > > > >>> ...
> > > > >>> Nov 7 10:31:12 14[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'
> > > > >>> ...
> > > > >>> Nov 7 10:31:12 14[CFG] left is other host, swapping ends
> > > > >>> ...
> > > > >>> Nov 7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> > > > >>> ...
> > > > >>> Nov 7 10:13:56 05[IKE] remote host is behind NAT
> > > > >>> ...
> > > > >>> Nov 7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful
> > > > >>> ...
> > > > >>> Nov 7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING => ESTABLISHED
> > > > >>> ...
> > > > >>> Nov 7 10:13:57 12[IKE] peer requested virtual IP %any
> > > > >>> Nov 7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'
> > > > >>> ...
> > > > >>> Nov 7 10:14:13 05[ENC] parsing HASH_V1 payload finished
> > > > >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left
> > > > >>> ...
> > > > >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload finished
> > > > >>> ...
> > > > >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED => DELETING
> > > > >>> Nov 7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]
> > > > >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING => DESTROYING
> > > > >>> Nov 7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful
> > > > >>> Nov 7 10:14:13 02[NET] waiting for data on sockets
> > > > >>> Nov 7 10:14:25 15[JOB] got event, queuing job for execution
> > > > >>> Nov 7 10:14:25 15[JOB] next event in 9732s 760ms, waiting
> > > > >>> Nov 7 10:14:25 06[MGR] checkout IKE_SA
>
> > > > >>> Should I put something else instead of "right=%any" ?
>
>
>
>
>
>
>
>
>
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> > > > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSg+v9AAoJEDg5KY9j7GZY4e8P/iEU2SspPj4RQQ8A01nZXJ36
NIAwHcFFp2uvCmU5loL8J/qlj0XxosDA6ZgRlTsJdxXx3+PPIyDoeAxjbFEG3Eib
QGRY3OBQNUnxiZQdfHKxNsDAUxmlfL8YR/xlfMcvG78m1O2wdPDDQP8iEjEXIWFs
aPa7F5aY21/5f+K54GKSr82FSJo8k7kyS28Ibwvwj8qlgwiBszOVn0zCvDOhTAOz
j/dVcypWGhafWrkkVa+E4ePXpTXl2Je6XPWkmte+8FQDmTmK0Um/Dzr3Cqa6b2PY
lnDLyYEzaYTC1hPxuaNjGlciFaW7ZmInLTH03ot8NJISO/r+RUBgDqQ3h+bWThIA
E5J3X6ZssbzAz6H1eqO5D5LEg4s7ijBeDpodg01fc6C34RuPPPmR/q4730kLOtQt
njEAb8tTzjmA1Z9SmbfTsKmXqs8v8Xt2Ps939jsy3QEE3UjsM1kSaDvFpUpn48Fx
3vaJBP/2tAZuIT+LxfnyF4voX+LZPgoV85vJubZNJPGXZCsQgxfAClTlq4ile9W6
VVTOQUxKu0hJTDOODTwFarrwK/BRqoKQ99J0nzaEC0VSUjTpw7go72BvhUq6V6HS
c/4smdA90gmdLqKITiLBPiQ+yjuMEfhasRw6m3Nup/F843kuVB1jDmZ4CyVAEONx
C4h2K73lWmlcg6UC6u8m
=+K8k
-----END PGP SIGNATURE-----
More information about the Users
mailing list