[strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
gawd0wns at hotmail.com
Wed Sep 18 04:24:15 CEST 2013
Strongswan (v5.0.4) is running on my gateway. Tcpdump is clearly showing the packets making their way to the client (on my wan and lan), though I do not see anything coming back in return. I don't think the packets are being filtered on the way to the client device or back; I connected the device to my wifi network and experience the same issues. I currently have the following firewall rules enabled:
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
when the tunnel comes up, two more entries are added:
ACCEPT all -- 10.10.10.1 220.127.116.11/24 policy match dir in pol ipsec reqid 1 proto ipv6-crypt
ACCEPT all -- 18.104.22.168/24 10.10.10.1 policy match dir out pol ipsec reqid 1 proto ipv6-crypt
Why did strongswan insert these rules and what do they mean? Neither my client device or my strongswan server are on the 22.214.171.124/24 ip range. I have no idea where strongswan is getting this 67.xxx network range. Is this correct?
> Subject: Re: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
> From: martin at strongswan.org
> To: gawd0wns at hotmail.com
> CC: users at lists.strongswan.org
> Date: Mon, 16 Sep 2013 09:46:05 +0200
> > client device (126.96.36.199) connect to the server (188.8.131.52,
> > LAN ip-192.168.16.50) via public key authentication, and to have access
> > to the LAN (192.168.16.0/24) behind the server. [...] I cannot ping
> > between the host and client, or reach the subnet behind the host.
> > There are no errors when connecting, and I am issued a virtual ip
> > (10.10.10.1):
> I assume that the VPN client has a route to the host you ping. But does
> the host in your LAN has a route to the client, i.e. does it know where
> 10.10.10.1 is?
> If the IPsec gateway is not your default gateway, you'll have to install
> a route on each LAN host for the 10.10.10.0/24 subnet.
> Alternatively you might consider assigning unused addresses from
> 192.168.16.0/24 to the clients, statically or using the dhcp plugin.
> Then the farp plugin on your IPsec gateway could take care of responding
> to ARP responses on behalf of the IPsec clients.
> If that all does not help, you should run a network sniffer to see where
> your pings gets lost. Also, make sure IP forwarding is enabled on the
> IPsec gateway.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users