> As suggested in my previous mail, you should check if the hosts on the
> LAN have a route to return packets to the IPsec clients.
Thanks for your prompt reply. I have strongswan running on my lan router, which is acting as a gateway, dhcp server to the entire network. I have not manually added any routes, because as I understood the documentation on forwarding, no manually added routes were required - "The virtual IPs are from a distinct subnet: If the VPN gateway is the default gateway of the accessed LAN nothing special has to be done." (http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling).
> Are you using the default updown script to install these rules? Adding
> some debug logs to your script might help.
I am running the default scripts that came with the strongswan package.
>What does "ipsec statusall" show when such a tunnel is up?
Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
uptime: 7 minutes, since Sep 18 07:58:25 2013
malloc: sbrk 221184, mmap 0, used 187616, free 33568
worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Virtual IP pools (size/online/offline):
10.10.10.0/24: 254/1/0
Listening IP addresses:
99.234.220.200
192.168.16.50
Connections:
z10: myhost.com...%any IKEv2
z10: local: [C=CA, O=none, CN=server] uses public key authentication
z10: cert: "C=CA, O=none, CN=server"
z10: remote: [C=CA, O=none, CN=z10] uses public key authentication
z10: child: 0.0.0.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
z10[2]: ESTABLISHED 7 minutes ago, 99.234.220.200[C=CA, O=none, CN=server]...24.114.94.100[C=CA, O=none, CN=z10]
z10[2]: IKEv2 SPIs: ddf237166cae8ed5_i fb3ef59124377fba_r*, public key reauthentication in 48 minutes
z10[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
z10{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c7133340_i d518991a_o
z10{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 6 minutes
z10{1}: 0.0.0.0/24 === 10.10.10.1/32
The only thing I can see coming through the tunnel are keep-alive requests.
> Subject: Re: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10
> From: martin at strongswan.org
> To: gawd0wns at hotmail.com
> CC: users at lists.strongswan.org
> Date: Wed, 18 Sep 2013 10:23:18 +0200
>
> Hi,
>
> > Tcpdump is clearly showing the packets making their way to the client
> > (on my wan and lan), though I do not see anything coming back in
> > return.
>
> As suggested in my previous mail, you should check if the hosts on the
> LAN have a route to return packets to the IPsec clients.
>
> > Why did strongswan insert these rules
>
> Because you have defined leftfirewall=yes or leftupdown?
>
> > and what do they mean?
>
> These rules enable forwarding of traffic coming in / going out of the
> tunnel should you have a DROP policy.
>
> > Neither my client device or my strongswan server are on the
> > 67.215.65.0/24 ip range. I have no idea where strongswan is getting
> > this 67.xxx network range.
>
> Are you using the default updown script to install these rules? Adding
> some debug logs to your script might help.
>
> What does "ipsec statusall" show when such a tunnel is up?
>
> Regards
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130918/bbf3a350/attachment.html>