[strongSwan] Can connect to strongSwan, but can't access local network and internet

Luka Hlastec luka.hlastec at gmail.com
Sun Dec 28 20:55:15 CET 2014 

Problem solved (thanks Thermi from #strongswan for hints).
Read this link:
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

I used following config:

#ipsec.conf - strongSwan IPsec configuration file


config setup

        uniqueids=never

        charondebug="cfg 2, dmn 2, ike 2, net 2, ike 1"


conn ios

        keyexchange=ikev1

        authby=xauthrsasig

        xauth=server

        #

        #LEFT(SERVER)

        left=%defaultroute

        leftsubnet=0.0.0.0/0

        leftfirewall=yes

        leftcert=vpnHostCert.pem

        #

        #RIGHT(CLIENT)

        right=%any

        rightsubnet=10.0.0.0/24

        rightsourceip=10.0.0.0/24

        ##rightsourceip=10.0.0.2

        #rightsubnet=192.168.2.0/0

        rightdns=192.168.2.1

        #rightsourceip=%dhcp

        rightcert=ClientCert.pem

        #pfs=no

        dpdaction=clear

        #dodal naknadno

        forceencaps=yes

        auto=add

and added following NAT rules:
iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -m policy --dir out
--pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE




On Sun, Dec 28, 2014 at 7:38 PM, Luka Hlastec <luka.hlastec at gmail.com>
wrote:

> Hi.
>
> I’ve some problems with strongSwan - I can connect to server(strongSwan
> v5.0.4, IKEv1, using certificates) with my iPhone(iOS8), but I can’t access
> local network or internet.
>
> I’m using following config file:
>
> ###########
>
> #ipsec.conf - strongSwan IPsec configuration file
>
>
> config setup
>
>         uniqueids=never
>
>         charondebug="cfg 2, dmn 2, ike 2, net 2, ike 1"
>
>
> conn ios
>
>         keyexchange=ikev1
>
>         authby=xauthrsasig
>
>         xauth=server
>
>         #
>
>         #LEFT(SERVER)
>
>         left=%defaultroute
>
>         leftsubnet=0.0.0.0/0
>
>         leftfirewall=yes
>
>         leftcert=vpnHostCert.pem
>
>         #
>
>         #RIGHT(CLIENT)
>
>         right=%any
>
>         rightsubnet=10.0.0.0/24
>
>         rightsourceip=10.0.0.0/24
>
>         rightcert=ClientCert.pem
>
>         dpdaction=clear
>
>         auto=add
>
> ###########END
>
>
> LAN subnet: 192.168.2.x
>
> WAN IP: 86.158.x.x
>
>
> My LAN is behind firewall (192.168.2.1) - I’ve setup port redirect (ipsec
> ports - UDP 500 and 4500) to strongSwan server (Raspberry Pi,
> 192.168.2.102).
>
> I’ve also set following on raspberry Pi:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
>
>
> Status of connection:
>
> >ipsec status
>
> Security Associations (1 up, 0 connecting):
>
>          ios[1]: ESTABLISHED 38 seconds ago, 192.168.2.102[C=CH,
> O=strongSwan, CN=86.158.x.x]…188.198.x.x[C=CH, O=strongSwan, CN=
> xxx.xxx at gmail.com]
>
>          ios{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c5dd1b9d_i 069cc5f0_o
>
>          ios{1}:   0.0.0.0/0 === 10.0.0.1/32
>
>
> Can someone help me with iptable settings? How to set it up, so strongSwan
> clients will be able to access LAN subnet?
>
>
> Thanks
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141228/c008d002/attachment.html>

More information about the Users mailing list