[strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10

G. B. gawd0wns at hotmail.com
Wed Sep 18 04:24:15 CEST 2013 

Strongswan (v5.0.4) is running on my gateway.  Tcpdump is clearly showing the packets making their way to the client (on my wan and lan), though I do not see anything coming back in return.  I don't think the packets are being filtered on the way to the client device or back; I connected the device to my wifi network and experience the same issues.  I currently have the following firewall rules enabled:

iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT

when the tunnel comes up, two more entries are added:

ACCEPT     all  --  10.10.10.1           67.215.65.0/24      policy match dir in pol ipsec reqid 1 proto ipv6-crypt
ACCEPT     all  --  67.215.65.0/24       10.10.10.1          policy match dir out pol ipsec reqid 1 proto ipv6-crypt


Why did strongswan insert these rules and what do they mean?  Neither my client device or my strongswan server are on the 67.215.65.0/24 ip range.  I have no idea where strongswan is getting this 67.xxx network range.  Is this correct?   

> Subject: Re: [strongSwan] FW:  ikev2 vpn using PKI auth with a Blackberry Z10
> From: martin at strongswan.org
> To: gawd0wns at hotmail.com
> CC: users at lists.strongswan.org
> Date: Mon, 16 Sep 2013 09:46:05 +0200
> 
> Hi,
> 
> > client device (24.114.94.100) connect to the server (99.234.220.200,
> > LAN ip-192.168.16.50) via public key authentication, and to have access
> > to the LAN (192.168.16.0/24) behind the server.  [...] I cannot ping
> > between the host and client, or reach the subnet behind the host. 
> > There are no errors when connecting, and I am issued a virtual ip
> > (10.10.10.1):
> 
> I assume that the VPN client has a route to the host you ping. But does
> the host in your LAN has a route to the client, i.e. does it know where
> 10.10.10.1 is?
> 
> If the IPsec gateway is not your default gateway, you'll have to install
> a route on each LAN host for the 10.10.10.0/24 subnet.
> 
> Alternatively you might consider assigning unused addresses from
> 192.168.16.0/24 to the clients, statically or using the dhcp plugin.
> Then the farp plugin on your IPsec gateway could take care of responding
> to ARP responses on behalf of the IPsec clients.
> 
> If that all does not help, you should run a network sniffer to see where
> your pings gets lost. Also, make sure IP forwarding is enabled on the
> IPsec gateway.
> 
> Regards
> Martin
> 
> [1]http://wiki.strongswan.org/projects/strongswan/wiki/FARPPlugin
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130918/9ec95bfa/attachment.html>

More information about the Users mailing list