[strongSwan] StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs

Luka Lukapple80 at gmail.com
Thu Nov 14 08:42:40 CET 2013


Noel.
Ok I've created level 3 log files with following scenario:
- restart router
- turn off firewall on router (from router web gui)
- execute following commands(because router was restarted):

modprobe /lib/modules/2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko

insmod xt_policy

- enter iptables commands:

iptables -I FORWARD -m conntrack --ctstate SNAT -j ACCEPT

iptables -I FORWARD -m conntrack -s 10.0.0.0/24 --ctstate
NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -I POSTROUTING 1 -s 10.0.0.0/24 -j MASQUERADE -t nat

- start strongswan: ipsec start
- connect with client(iPhone) to server (client gets virtual ip 10.0.0.2)
- open safari(iPhone) and try to access some site from LAN: 192.168.2.10
- wait few seconds (no response ...)
- stop strongswan: ipsec stop

You can grab logs on:
https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswan.log
(server/client IPs are censored).

Luka


On Wed, Nov 13, 2013 at 11:31 PM, Noel Kuntze <noel at familie-kuntze.de>wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Luka,
>
> No, I meant logs of strongSwan.
> The logs you sent earlier don't show active communication between the
> server and the client.
> Example logger configurations and explanations can be found here [1].
>
> [1]
> http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>
> Regards
> Noel Kuntze
>
> On 13.11.2013 23:25, Luka wrote:
> > Hi.
> > I didn't know about that "conntrack" module.
> > What logs did you mean ? from contrack module ? or from strongswan
> (already sent those in previous mails).
> > How do you specify log level in conntrack ?
> > There are some entries from conntrack (started connected to vpn, tried
> to connect some local IPs and then disconnect):
> >
> >
> > # cat /proc/net/ip_conntrack | grep 122.
> >
> > udp      17 104 src=46.x.x.x dst=86.x.x.x sport=500 dport=500 packets=34
> bytes=10344 src=86.x.x.x dst=46.x.x.x sport=500 dport=500 packets=25
> bytes=7425 [ASSURED] mark=0 use=1
> >
> > unknown  50 523 src=46.x.x.x dst=86.x.x.x packets=59 bytes=8024
> [UNREPLIED] src=86.x.x.x dst=46.x.x.x packets=0 bytes=0 mark=0 use=1
> >
> >
> > What does those unreplied packages mean ?
> >
> > I'm using charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips).
> >
> > Luka
> >
> > On Wed, Nov 13, 2013 at 10:46 PM, Noel Kuntze <noel at familie-kuntze.de<mailto:
> noel at familie-kuntze.de>> wrote:
> >
> >
> > Hello Luka,
> >
> > I have to say, that you're using the -I parameter of iptables
> incorrectly. It needs the position in which the rule should be put as the
> second parameter.
> > Like that: iptables -I INPUT 1 -j LOG --log-prefix "Luka-log: "
> > If you don't do that, -I works the same way as -A (Append).
> >
> > The policy of the FORWARD chain seems to be "drop", so you probably have
> to insert a rule there, too, to allow SNATed (masquerade basicly does this)
> traffic through.
> > Such a rule looks like this:
> > iptables -A FORWARD -m conntrack --ctstate SNAT -j ACCEPT
> > You need to allow connections from your VPN clients to the LAN:
> > iptables -A FORWARD -m conntrack -s 10.0.0.0/24 <http://10.0.0.0/24>
> --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
> >
> > Up/down the tunnel and try to ping it directly after that. Also sending
> us a logfile which shows you trying to communicate with the LAN will help a
> lot. When logging, please send us logs with default=3.
> > The logfiles can grow quite large over time.
> > Also, what version of strongSwan do you use?
> >
> > Regards
> > Noel Kuntze
> >
> > On 13.11.2013 22:18, Luka wrote:
> >
> > > Traffic counters stays at 0
> >
> > > ios{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
> 46 minutes
> >
> > >          ios{2}:   0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> === 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32>
> >
> >
> > > Luka
> >
> >
> >
> > > On Wed, Nov 13, 2013 at 10:15 PM, Noel Kuntze <noel at familie-kuntze.de<mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>> wrote:
> >
> >
> > > Hello Luka,
> >
> > > Yes, this is all okay.
> > > Does the traffic counters, you see when you do "ipsec statusall",
> increase when you try to communicate with your LAN?
> >
> > > Regards
> > > Noel Kuntze
> >
> > > On 13.11.2013 22:11, Luka wrote:
> > > > IP forward is enabled. I can't find sysctl command, but following
> command prints 1(=enabled):
> > > > cat /proc/sys/net/ipv4/ip_forward
> > > > 1
> >
> > > > Tunnel printed in "ipsec statusall" command looks like this:
> >
> > > > Security Associations (1 up, 0 connecting):
> >
> > > > ...
> >
> > > > ios{1}:   0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> === 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32>
> <http://10.0.0.2/32>
> >
> >
> > > > Is this ok ?
> >
> >
> >
> >
> > > > On Wed, Nov 13, 2013 at 9:48 PM, Noel Kuntze <noel at familie-kuntze.de<mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>>> wrote:
> >
> >
> > > > Hello Luka,
> >
> > > > Is IP forwarding activated? if it isn't, then activate it.
> > > > Getting the IP packets from the tunnel to your LAN is probably the
> problem.
> >
> > > > Regards
> > > > Noel Kuntze
> >
> > > > On 13.11.2013 21:27, Luka wrote:
> > > > > Hi Noel.
> > > > > My postrouting chain contains following entries:
> >
> > > > > Chain POSTROUTING (policy ACCEPT)
> >
> > > > > target     prot opt source               destination
> >
> > > > > MASQUERADE  all  --  10.0.0.0/24 <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24>
>  anywhere
> >
> > > > > MASQUERADE  all  --  192.168.2.0/24 <http://192.168.2.0/24> <
> http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24>
>     anywhere
> >
> > > > > MASQUERADE  all  -- !cpe-86-xx-xxx-xxx.static.xxx.net <
> http://cpe-86-xx-xxx-xxx.static.xxx.net> <
> http://cpe-86-xx-xxx-xxx.static.xxx.net> <
> http://cpe-86-xx-xxx-xxx.static.xxx.net> <
> http://cpe-86-xx-xxx-xxx.static.xxx.net>  anywhere
> >
> > > > > MASQUERADE  all  --  anywhere             anywhere            MARK
> match 0xd001
> >
> >
> > > > > I've tried to log all packages in different chains (see part of
> log at bottom) and I didn't find any traces of virtual IP (10.0.0.2), just
> iPhones wan IP and server wan IP. Is that OK ?
> >
> >
> > > > > I've tried:
> >
> > > > > iptables -I INPUT -j LOG --log-prefix "Luka-log: "
> >
> > > > > Part of logs(IPs are replaced with "x", 46.x is iPhone IP and 86.x
> is server external IP):
> >
> > > > > Nov 13 19:21:34 vpn: + C=SI, O=Lupo, CN=clientLupo 10.0.0.2/32 <
> http://10.0.0.2/32> <http://10.0.0.2/32> <http://10.0.0.2/32> <
> http://10.0.0.2/32> == 46.x.x.x -- 86.x.x.x == %any/0
> >
> > > > > ...
> >
> > > > > Nov 13 19:22:06 kernel: Luka-log:  <4>Luka-log: IN=eth0 OUT=
> MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x
> <1>LEN=136 TOS=0x00 PREC=0x00 TTL=56 ID=25376 PROTO=ESP SPI=0xc1155ce9
> >
> > > > > ...
> >
> > > > > Nov 13 19:22:07 kernel: Luka-log:  <4>Luka-log: IN=eth0 OUT=
> MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x
> <1>LEN=136 TOS=0x00 PREC=0x00 TTL=56 ID=23923 PROTO=ESP SPI=0xc1155ce9
> >
> > > > > ...
> >
> >
> >
> > > > > iptables -I PREROUTING -j LOG --log-prefix
> "Luka-log(nat-PREROUTING): " -t nat
> >
> > > > > Logs:
> >
> > > > > ...(2 or 3 packages of this type)
> >
> > > > > Nov 13 20:54:52 kernel: Luka-log(nat-PREROUTING):
>  <4>Luka-log(nat-PREROUTING): IN=eth0 OUT=
> MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x
> <1>LEN=696 TOS=0x00 PREC=0x00 TTL=56 ID=58415 PROTO=UDP <1>SPT=500 DPT=500
> LEN=676
> >
> > > > > ...
> >
> >
> > > > > iptables -I FORWARD -j LOG --log-prefix "Luka-log(nat-FORWARD): "
> >
> > > > > Logs: vpn logs not found
> >
> >
> > > > > iptables -I POSTROUTING -j LOG --log-prefix
> "Luka-POSTROUTING-MASQUERADE: "  -t nat -s 10.0.0.0/24 <http://10.0.0.0/24>
> <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24>
> >
> > > > > Logs: vpn logs not found
> >
> >
> > > > > Any idea what else should I check ?
> >
> >
> > > > > Luka
> >
> >
> >
> > > > > On Sun, Nov 10, 2013 at 5:02 PM, Noel Kuntze <
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>>> wrote:
> >
> >
> > > > > Hello Luka,
> >
> > > > > What other rules do you have in the POSTROUTING chain? If any
> other rule removes the packets from the chain, then they don't reach the
> MASQUERADE rule and hence
> > > > > won't get masqueraded.
> >
> > > > > The rule basicly says: If the traffic is going out on the eth0
> interface and the source is 10.0.0.0/24 <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> and the
> destination ist 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0>, then masquerade it.
> > > > > Masquerade basicly means NAT, but it will replace the source IP of
> the traffic based on the interface it's going out.
> > > > > No, the parameters that are displayed in the first couple of
> columns are just filters that restrict traffic going to the target.
> > > > > For further clarification, I recomment you read the manpage for
> iptables and iptables-extensions (if the latter exists on your system. It
> does on Arch Linux.).
> > > > > For your setup, I recomment you ommit -o eth0 and INSERT, and not
> APPEND the rule to the chain.
> > > > > Example: iptables -I POSTROUTING 1 -s 10.0.0.0/24 <
> http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> <
> http://10.0.0.0/24> -j MASQUERADE
> >
> > > > > Regards
> > > > > Noel Kuntze
> >
> > > > > On 10.11.2013 16:31, Luka wrote:
> >
> > > > > > Hi Noel.
> >
> > > > > > Still no luck.
> >
> > > > > > I’ve added masquerade, following line is added to nat iptable:
> >
> > > > > > Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)
> >
> > > > > > num   pkts bytes target     prot opt in     out     source
>         destination
> >
> > > > > > …
> >
> > > > > > 4        0     0 MASQUERADE  all  --  *      eth0    10.0.0.0/24<
> http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24>          0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> >
> > > > > > What exactly does this masquerade record means ? Probably that
> all packets from 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> network
> that have any(0.0.0.0) destination will get IP address of eth0 device ?
> >
> > > > > > But eth0 is device with external IP of server (86.58.x.x) (see
> ifconfig output below), should I use br0 device here (the one with local IP
> of router) ?
> >
> >
> > > > > > Ok, if I sum up my situation:
> >
> > > > > > CLIENT(iPhone):
> >
> > > > > > - I can connect to IPsec(strongswan)
> >
> > > > > > - gets virtual IP Address: 10.0.0.2
> >
> >
> > > > > > SERVER (strongswan v5.0.4, on my router, Linux 2.6.22.19):
> >
> > > > > > - local IP: 192.168.2.1
> >
> > > > > > - external IP 86.58.x.x
> >
> > > > > > ipsec statusall:
> >
> > > > > > Virtual IP pools (size/online/offline):
> >
> > > > > >   10.0.0.2 <http://10.0.0.2>: 1/1/0
> >
> > > > > > Listening IP addresses:
> >
> > > > > >   86.58.x.x
> >
> > > > > >   192.168.2.1
> >
> >
> > > > > > Security Associations (1 up, 0 connecting):
> >
> > > > > >          ios[2]: ESTABLISHED 19 seconds ago, 86.58.x.x[C=SI,
> O=Lupo, CN=86.58.x.x]…46.123.x.x[C=SI, O=Lupo, CN=clientLupo]
> >
> > > > > >          ios[2]: Remote XAuth identity: lupo
> >
> > > > > >          ios[2]: IKEv1 SPIs: cd789eae5d666586_i
> 638f1ca174f85726_r*, public key reauthentication in 2 hours
> >
> > > > > >          ios[2]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> >
> > > > > >          ios{1}:  INSTALLED, TUNNEL, ESP SPIs: c7f2d740_i
> 0829cc4a_o
> >
> > > > > >          ios{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0
> bytes_o, rekeying in 45 minutes
> >
> > > > > >          ios{1}:   0.0.0.0/0 <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> === 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> <
> http://10.0.0.2/32> <http://10.0.0.2/32> <http://10.0.0.2/32>
> >
> >
> > > > > > iptables:
> >
> > > > > > This entries are added to FORWARD chain after I connect to
> server:
> >
> >
> > > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >
> > > > > > num   pkts bytes target     prot opt in     out     source
>         destination
> >
> > > > > > 1        0     0 ACCEPT     all  --  eth0   *       10.0.0.2
>         0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0> <http://0.0.0.0/0>           policy match dir in pol
> ipsec reqid 2 proto 50
> >
> > > > > > 2        0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>            10.0.0.2            policy match dir out
> pol ipsec reqid 2 proto 50
> >
> >
> > > > > > iptables(nat table):
> >
> > > > > > Chain PREROUTING (policy ACCEPT 4188 packets, 599K bytes)
> >
> > > > > > num   pkts bytes target     prot opt in     out     source
>         destination
> >
> > > > > > 1        1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>           tcp dpt:1194
> >
> > > > > > 2      305 54089 VSERVER    all  --  *      *       0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>            86.58.x.x
> >
> >
> > > > > > Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)
> >
> > > > > > num   pkts bytes target     prot opt in     out     source
>         destination
> >
> > > > > > 1        0     0 MASQUERADE  all  --  *      tun11
> 192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24> <
> http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24>
>     0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > > > > 2      731 46984 MASQUERADE  all  --  *      eth0   !86.58.x.x
>          0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> > > > > > 3        0     0 MASQUERADE  all  --  *      *       0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>           MARK match 0xd001
> >
> > > > > > 4        0     0 MASQUERADE  all  --  *      eth0    10.0.0.0/24<
> http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24>          0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> >
> > > > > > Chain OUTPUT (policy ACCEPT 2489 packets, 220K bytes)
> >
> > > > > > num   pkts bytes target     prot opt in     out     source
>         destination
> >
> >
> > > > > > Chain LOCALSRV (0 references)
> >
> > > > > > num   pkts bytes target     prot opt in     out     source
>         destination
> >
> >
> > > > > > Chain VSERVER (1 references)
> >
> > > > > > num   pkts bytes target     prot opt in     out     source
>         destination
> >
> > > > > > 1        1   123 DNAT       tcp  --  *      *       0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>           tcp dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194> <
> http://192.168.2.100:1194> <http://192.168.2.100:1194> <
> http://192.168.2.100:1194> <http://192.168.2.100:1194>
> >
> > > > > > 2        0     0 DNAT       udp  --  *      *       0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>           udp dpt:1184 to:192.168.2.100:1194 <http://192.168.2.100:1194> <
> http://192.168.2.100:1194> <http://192.168.2.100:1194> <
> http://192.168.2.100:1194> <http://192.168.2.100:1194>
> >
> > > > > > 3      304 53966 VUPNP      all  --  *      *       0.0.0.0/0 <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> >
> >
> > > > > > Chain VUPNP (1 references)
> >
> > > > > > num   pkts bytes target     prot opt in     out     source
>         destination
> >
> >
> > > > > > Chain YADNS (0 references)
> >
> > > > > > num   pkts bytes target     prot opt in     out     source
>         destination
> >
> >
> >
> > > > > > ifconfig:
> >
> > > > > > br0        Link encap:Ethernet  HWaddr 30:85:A9:E6:EF:A0
> >
> > > > > >            inet addr:192.168.2.1  Bcast:192.168.2.255
>  Mask:255.255.255.0
> >
> > > > > >            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >
> > > > > >            RX packets:20577 errors:0 dropped:0 overruns:0 frame:0
> >
> > > > > >            TX packets:16212 errors:0 dropped:0 overruns:0
> carrier:0
> >
> > > > > >            collisions:0 txqueuelen:0
> >
> > > > > >            RX bytes:7597057 (7.2 MiB)  TX bytes:2892960 (2.7 MiB)
> >
> >
> > > > > > eth0       Link encap:Ethernet  HWaddr 30:85:A9:E6:EF:A0
> >
> > > > > >            inet addr:86.58.x.x  Bcast:86.58.y.y
>  Mask:255.255.255.0
> >
> > > > > >            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >
> > > > > >            RX packets:665392 errors:0 dropped:0 overruns:0
> frame:0
> >
> > > > > >            TX packets:1473423 errors:0 dropped:0 overruns:0
> carrier:0
> >
> > > > > >            collisions:0 txqueuelen:1000
> >
> > > > > >            RX bytes:83612848 (79.7 MiB)  TX bytes:1996770618
> (1.8 GiB)
> >
> > > > > >            Interrupt:4 Base address:0x2000
> >
> > > > > > ...
> >
> > > > > > btw, should tunnel, that is created by strongswan, appear in
> this ifconfig list ?
> >
> >
> > > > > > I’m probably missing another piece of puzzle.
> >
> > > > > > Is there any other log file except strongswan log, that should I
> examine ?
> >
> >
> > > > > > Thanks
> >
> > > > > > Luka
> >
> >
> >
> > > > > > On Sun, Nov 10, 2013 at 3:38 PM, Noel Kuntze <
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>>>>> wrote:
> >
> >
> > > > > > Sorry, it is "iptables -A POSTROUTING -t nat -s 10.0.0.0/24 <
> http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24> -o eth0 -j MASQUERADE"
> > > > > > On 10.11.2013 15:05, Noel Kuntze wrote:
> >
> > > > > > > Hello Luka,
> >
> > > > > > > You need to masquerade the traffic from your iPhone to the LAN
> or the internet.
> > > > > > > You do this with either the MASQUERADE or the SNAT target in
> iptables.
> > > > > > > Example: iptables -A FORWARD -t nat -s 10.0.0.0/24 <
> http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24> -o eth0 -j MASQUERADE
> >
> > > > > > > Regards
> > > > > > > Noel Kuntze
> >
> > > > > > > On 10.11.2013 11:50, Luka wrote:
> > > > > > > > Hi.
> > > > > > > > I've found way to fix that error: "iptables: No
> chain/target/match by that name" by executing command:
> >
> > > > > > > > insmod xt_policy
> >
> >
> > > > > > > > Now when I connect, iPhone gets IP 10.0.0.2 and following
> policy is added to FORWARD chain:
> >
> > > > > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >
> > > > > > > > num   pkts bytes target     prot opt in     out     source
>             destination
> >
> > > > > > > > 1        0     0 ACCEPT     all  --  eth0   *       10.0.0.2
>             0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>           policy match dir in pol ipsec reqid 1 proto 50
> >
> > > > > > > > 2        0     0 ACCEPT     all  --  *      eth0
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>  10.0.0.2            policy match dir out pol ipsec reqid 1 proto 50
> >
> >
> > > > > > > > I'm using config:
> >
> > > > > > > > conn %default
> >
> > > > > > > >         keyexchange=ikev1
>        Read the manpage for it
> >
> > > > > > > >         authby=xauthrsasig
> >
> > > > > > > >         xauth=server
> >
> >
> >
> > > > > > > > #leftid = subject alt. name (v certifikatu)
> >
> > > > > > > > conn ios
> >
> > > > > > > >        left=%defaultroute
> >
> > > > > > > >        leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> > > > > > > >        leftcert=serverCert.pem
> >
> > > > > > > >        leftfirewall=yes
> >
> > > > > > > But I still can't access my LAN (192.168.2.0/24 <
> http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24> <
> http://192.168.2.0/24> <http://192.168.2.0/24>) or ping router
> 192.168.2.1 or ping phone virtual IP 10.0.0.2.
> >
> > > > > > > I've no idea what else should I try. I give up.
> >
> > > > > > > >        right=%any
> >
> > > > > > > >        rightsubnet=10.0.0.0/24 <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24>
> >
> > > > > > > >        rightsourceip=10.0.0.2
> >
> > > > > > > >        auto=add
> >
> > > > > > > >        rightcert=clientCert.pem
> >
> >
> >
> > > > > > > > But I still can't access my LAN (192.168.2.0/24 <
> http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24> <
> http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24>)
> or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.
> >
> > > > > > > > I've no idea what else should I try. I give up.
> >
> >
> > > > > > > > L
> >
> >
> >
> >
> > > > > > > > On Thu, Nov 7, 2013 at 11:05 PM, Noel Kuntze <
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>>>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>
> > <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>>>>> wrote:
> >
> >
> > > > > > > > Hello Luka,
> >
> > > > > > > > I actually meant the config which you created after I sent
> you that link [1].
> > > > > > > > I don't know exactly why there are retransmits happening,
> but in general, the setup should work.
> >
> > > > > > > > [1]
> http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> >
> > > > > > > > Regards
> > > > > > > > Noel Kuntze
> >
> > > > > > > > On 07.11.2013 23:03, Luka wrote:
> > > > > > > >> Ok I've switched back to following configuration and I can
> connect to VPN again (back to beginning, can connect but can't access LAN
> behind VPN):
> >
> > > > > > > >> conn %default
> >
> > > > > > > >>         keyexchange=ikev1
> >
> > > > > > > >>         authby=xauthrsasig
> >
> > > > > > > >>         xauth=server
> >
> >
> >
> > > > > > > >> conn ios
> >
> > > > > > > >>        left=86.xx.xx.x35
> >
> > > > > > > >>        leftcert=serverLupoCert.pem
> >
> > > > > > > >>        leftsubnet=192.168.2.0/24 <http://192.168.2.0/24> <
> http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24> <
> http://192.168.2.0/24> <http://192.168.2.0/24> <http://192.168.2.0/24>
> >
> > > > > > > >>        leftfirewall=yes
> >
> > > > > > > >>        right=%any
> >
> > > > > > > >>        rightsourceip=10.3.0.1
> >
> > > > > > > >>        auto=add
> >
> > > > > > > >>        rightcert=clientLupoCert.pem
> >
> >
> > > > > > > >> Do I have to put server's WAN Ip address for "left" or
> local IP ?
> >
> > > > > > > >> Configuration is simmilar to this one:
> http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html
> .
> > > > > > > >> I've checked iptables -L command on that site <
> http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables>
> and compared it with mine.
> > > > > > > >> It looks like mine is missing some forwarding rules.
> > > > > > > >> Mine:
> >
> > > > > > > >> iptables -L -v -n --line-numbers
> >
> > > > > > > >> Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)
> http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> >
> > > > > > > >> num   pkts bytes target     prot opt in     out     source
>               destination
> >
> > > > > > > >> 1      236 31088 ACCEPT     esp  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> > > > > > > >> 2        0     0 ACCEPT     udp  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>           udp dpt:4500
> >
> > > > > > > >> 3      196 68288 ACCEPT     udp  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>           udp dpt:500
> >
> > > > > > > >> 4        0     0 ACCEPT     all  --  tun21  *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> > > > > > > >> 5     1138  105K ACCEPT     tcp  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>           tcp dpt:1194
> >
> > > > > > > >> 6        0     0 ACCEPT     all  --  tun11  *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> >
> > > > > > > >> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >
> > > > > > > >> num   pkts bytes target     prot opt in     out     source
>               destination
> >
> > > > > > > >> 1        0     0 ACCEPT     esp  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> > > > > > > >> 2        0     0 ACCEPT     all  --  tun21  *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> > > > > > > >> 3        5   344 ACCEPT     all  --  tun11  *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> > > > > > > >> 4    22028 1928K ACCEPT     all  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>           state RELATED,ESTABLISHED
> >
> > > > > > > >> 5        0     0 logdrop    all  --  !br0   eth0
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> > > > > > > >> 6       28  1432 logdrop    all  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>           state INVALID
> >
> > > > > > > >> 7        0     0 ACCEPT     all  --  br0    br0
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> > > > > > > >> 8     1344 80640 ACCEPT     all  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>           ctstate DNAT
> >
> > > > > > > >> 9    32811 2190K ACCEPT     all  --  br0    *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> >
> > > > > > > >> Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)
> >
> > > > > > > >> num   pkts bytes target     prot opt in     out     source
>               destination
> >
> > > > > > > >> 1        0     0 ACCEPT     esp  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> >
> > > > > > > >> Chain FUPNP (0 references)
> >
> > > > > > > >> num   pkts bytes target     prot opt in     out     source
>               destination
> >
> >
> > > > > > > >> Chain PControls (0 references)
> >
> > > > > > > >> num   pkts bytes target     prot opt in     out     source
>               destination
> >
> > > > > > > >> 1        0     0 ACCEPT     all  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> >
> > > > > > > >> Chain logaccept (0 references)
> >
> > > > > > > >> num   pkts bytes target     prot opt in     out     source
>               destination
> >
> > > > > > > >> 1        0     0 LOG        all  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>           state NEW LOG flags 7 level 4 prefix `ACCEPT
> '
> >
> > > > > > > >> 2        0     0 ACCEPT     all  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> >
> > > > > > > >> Chain logdrop (2 references)
> >
> > > > > > > >> num   pkts bytes target     prot opt in     out     source
>               destination
> >
> > > > > > > >> 1        0     0 LOG        all  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>           state NEW LOG flags 7 level 4 prefix `DROP'
> >
> > > > > > > >> 2       28  1432 DROP       all  --  *      *
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>            0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> >
> >
> > > > > > > >> If I understand "leftfirewall=yes" command, it should put
> those rules into iptables.
> >
> > > > > > > >> I've checked charon log file and found this error:
> >
> > > > > > > >> cat strongswancharon.log | grep iptables
> >
> > > > > > > >> Nov  7 22:59:06 11[CFG]   leftupdown=ipsec _updown iptables
> >
> > > > > > > >> Nov  7 22:59:26 12[CHD] updown: iptables: No
> chain/target/match by that name
> >
> > > > > > > >> Nov  7 22:59:26 12[CHD] updown: iptables: No
> chain/target/match by that name
> >
> >
> > > > > > > >> Am I missing some modules here or something ?
> >
> > > > > > > >> How can I get/log those commands for iptables, that
> strongswan executes ?
> >
> >
> > > > > > > >> Thanks.
> >
> >
> >
> > > > > > > >> On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>>>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>
> > <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>
> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>
> > > <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>
> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>>>>>> wrote:
> >
> >
> > > > > > > >> Hello Luka,
> >
> > > > > > > >> Your former configuration worked just fine. The problem was
> with the network or similiar. It had nothing to do with strongSwan.
> >
> > > > > > > >> Regards
> > > > > > > >> Noel Kuntze
> >
> > > > > > > >> On 07.11.2013 10:51, Luka wrote:
> > > > > > > >>> Now I've tried to load modules by hand. I've added
> following line to strongswan.conf:
> > > > > > > >>> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random
> nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
> resolve attr farp xauth-generic
> >
> > > > > > > >>> And if I check charon logs, it looks like it connects and
> then immediately disconnects from vpn.
> > > > > > > >>> Here are interesting lines from log file, (I connect with
> iphone and get "Negotiation with the VPN server failed":
> >
> > > > > > > >>> ...
> > > > > > > >>> Nov  7 10:31:12 14[CFG]   id '<server.wan.ip>' not
> confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'
> > > > > > > >>> ...
> > > > > > > >>> Nov  7 10:31:12 14[CFG]   id '%any' not confirmed by
> certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'
> > > > > > > >>> ...
> > > > > > > >>> Nov  7 10:31:12 14[CFG] left is other host, swapping ends
> > > > > > > >>> ...
> > > > > > > >>> Nov  7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change:
> CREATED => CONNECTING
> > > > > > > >>> ...
> > > > > > > >>> Nov  7 10:13:56 05[IKE] remote host is behind NAT
> > > > > > > >>> ...
> > > > > > > >>> Nov  7 10:13:57 11[IKE] XAuth authentication of 'lupo'
> successful
> > > > > > > >>> ...
> > > > > > > >>> Nov  7 10:13:57 12[IKE] IKE_SA ios[1] state change:
> CONNECTING => ESTABLISHED
> > > > > > > >>> ...
> > > > > > > >>> Nov  7 10:13:57 12[IKE] peer requested virtual IP %any
> > > > > > > >>> Nov  7 10:13:57 12[IKE] no virtual IP found for %any
> requested by 'lupo'
> > > > > > > >>> ...
> > > > > > > >>> Nov  7 10:14:13 05[ENC] parsing HASH_V1 payload finished
> > > > > > > >>> Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40
> bytes left
> > > > > > > >>> ...
> > > > > > > >>> Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload finished
> > > > > > > >>> ...
> > > > > > > >>> Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change:
> ESTABLISHED => DELETING
> > > > > > > >>> Nov  7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]
> > > > > > > >>> Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change:
> DELETING => DESTROYING
> > > > > > > >>> Nov  7 10:14:13 05[MGR] check-in and destroy of IKE_SA
> successful
> > > > > > > >>> Nov  7 10:14:13 02[NET] waiting for data on sockets
> > > > > > > >>> Nov  7 10:14:25 15[JOB] got event, queuing job for
> execution
> > > > > > > >>> Nov  7 10:14:25 15[JOB] next event in 9732s 760ms, waiting
> > > > > > > >>> Nov  7 10:14:25 06[MGR] checkout IKE_SA
> >
> > > > > > > >>> Should I put something else instead of "right=%any" ?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > > > > > > _______________________________________________
> > > > > > > Users mailing list
> > > > > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org<mailto:
> Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:
> Users at lists.strongswan.org>>>>>
> > > > > > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSg/26AAoJEDg5KY9j7GZYucYP+gJrAcX+GGQith9snf3DrjlA
> MzFIBwdvTXmxdVpdmtNkl0WmSPb/ZxK4pGkdprXw5FOqy0mAm9w5rX/+i4h+Q9Pb
> zlNjYg89MuwAgYBDKnbGVQk9jTWiHkYLlcmmDIFbrddB7e1y6EEanGEkd5+WlZDz
> CrXXVkOxPE5S4Vk68zKaJsTh/gYQHAWX83RSoiaPmIBUgFX7Db4Nfa6fhF1UcD9c
> 7xDzy22Da5RWM6cH5oFnbmatx2uQG0XHx2+wjTrvEiu+j7qFDdYvZmONFjt0DX68
> Hz4PzA7yw5mkU5bYCZ3VVBxY2HvfEBicum4603JcHom3B+GbY0fI1zApaAGTCcZ2
> O2O0QxAfxvAgILhTumzrklZMDOjv1qc8GwFgnc5ysLJds9mM3Hcn05sbwV+XMwHl
> zjktOVVch9p9cOrGOYm1qIn7KBIu7Sj6US9uawmGbiYQhSr9dRtVbBbGvmGo77lW
> MWQiynrEsUQC26u5aj83719TbA8HCrT5XX8Rsdf6qa2DJ2VIhdH31ZE7kdoi1hlq
> 2S+q9hr6ZnYCD2J2ZiNplLyYo8AtHzctbYnw/t+Vqs2HkuEn05BZr/NtAxJ/Ym9k
> NsovUWPalvAqrI8n318vMISLaXeoL+8mrf+iRregWd5is0PB/3jstsE+1EmY75BN
> O0vgLu+RWuziXD0tqou0
> =I+Aa
> -----END PGP SIGNATURE-----
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131114/048daef0/attachment.html>


More information about the Users mailing list