[strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
G. B.
gawd0wns at hotmail.com
Wed Sep 18 04:24:15 CEST 2013
Strongswan (v5.0.4) is running on my gateway. Tcpdump is clearly showing the packets making their way to the client (on my wan and lan), though I do not see anything coming back in return. I don't think the packets are being filtered on the way to the client device or back; I connected the device to my wifi network and experience the same issues. I currently have the following firewall rules enabled:
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
when the tunnel comes up, two more entries are added:
ACCEPT all -- 10.10.10.1 67.215.65.0/24 policy match dir in pol ipsec reqid 1 proto ipv6-crypt
ACCEPT all -- 67.215.65.0/24 10.10.10.1 policy match dir out pol ipsec reqid 1 proto ipv6-crypt
Why did strongswan insert these rules and what do they mean? Neither my client device or my strongswan server are on the 67.215.65.0/24 ip range. I have no idea where strongswan is getting this 67.xxx network range. Is this correct?
> Subject: Re: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
> From: martin at strongswan.org
> To: gawd0wns at hotmail.com
> CC: users at lists.strongswan.org
> Date: Mon, 16 Sep 2013 09:46:05 +0200
>
> Hi,
>
> > client device (24.114.94.100) connect to the server (99.234.220.200,
> > LAN ip-192.168.16.50) via public key authentication, and to have access
> > to the LAN (192.168.16.0/24) behind the server. [...] I cannot ping
> > between the host and client, or reach the subnet behind the host.
> > There are no errors when connecting, and I am issued a virtual ip
> > (10.10.10.1):
>
> I assume that the VPN client has a route to the host you ping. But does
> the host in your LAN has a route to the client, i.e. does it know where
> 10.10.10.1 is?
>
> If the IPsec gateway is not your default gateway, you'll have to install
> a route on each LAN host for the 10.10.10.0/24 subnet.
>
> Alternatively you might consider assigning unused addresses from
> 192.168.16.0/24 to the clients, statically or using the dhcp plugin.
> Then the farp plugin on your IPsec gateway could take care of responding
> to ARP responses on behalf of the IPsec clients.
>
> If that all does not help, you should run a network sniffer to see where
> your pings gets lost. Also, make sure IP forwarding is enabled on the
> IPsec gateway.
>
> Regards
> Martin
>
> [1]http://wiki.strongswan.org/projects/strongswan/wiki/FARPPlugin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130918/9ec95bfa/attachment.html>
More information about the Users
mailing list