[strongSwan] Beginner needs some help, please!

Franz Fischer Franz.FD.Fischer at web.de
Tue Jun 23 10:21:37 CEST 2015 

Hallo!

I'm trying to make an encypted mobile connection from my windows phone
8.1 to my local network work. My situation looks like this:

local: Home net (192.168.178.xxx/24) is behind a Fritzbox.
mobile: Smartphone with windows 8.1 (gsm: ip adress starts with 10. -
netmask unknown, wlan: 192.168.178.23)
strongswan: running on arch linux on a rasperry pi (ip:192.168.178.25)

I already generated certificates (client, server and self-signed ca) and
configured server and mobile phone. For the first tests, the phone is
connected using wifi. The result is a positive message from smartphone
and strongwan about an established connection but no data transfer
works. Can someone help?

iptables-save shows:
# Generated by iptables-save v1.4.21 on Tue Jun 23 08:17:29 2015
*raw
:PREROUTING ACCEPT [31427:14359794]
:OUTPUT ACCEPT [18172:1790390]
-A OUTPUT -p udp -j TRACE
COMMIT
# Completed on Tue Jun 23 08:17:29 2015
# Generated by iptables-save v1.4.21 on Tue Jun 23 08:17:29 2015
*filter
:INPUT ACCEPT [440:101455]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [116:5788]
-A INPUT -s 192.168.250.1/32 -i eth0 -m policy --dir in --pol ipsec
--reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.250.1/32 -i eth0 -m policy --dir in --pol ipsec
--reqid 1 --proto esp -j ACCEPT
-A FORWARD -d 192.168.250.1/32 -o eth0 -m policy --dir out --pol ipsec
--reqid 1 --proto esp -j ACCEPT
-A OUTPUT -d 192.168.250.1/32 -o eth0 -m policy --dir out --pol ipsec
--reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Tue Jun 23 08:17:29 2015
# Generated by iptables-save v1.4.21 on Tue Jun 23 08:17:29 2015
*nat
:PREROUTING ACCEPT [175:40669]
:INPUT ACCEPT [169:40365]
:OUTPUT ACCEPT [8:632]
:POSTROUTING ACCEPT [8:632]
-A PREROUTING -j LOG
-A POSTROUTING -s 192.168.250.0/24 -j MASQUERADE
COMMIT
# Completed on Tue Jun 23 08:17:29 2015

This is my ipsec.conf:
# basic configuration

config setup
	 strictcrlpolicy=no
	# uniqueids = no

# Add connections here.

# Connection from window phone 8.1 with client certificate
conn eap-tls
        keyexchange=ikev2
        left=%any
        leftsubnet=0.0.0.0/0
        leftid=@fischefr.ddns.net
        leftcert=vpnHostCert.pem
        leftauth=pubkey
        leftfirewall=yes
        right=%any
        rightauth=eap-tls
        rightsourceip=192.168.250.0/24
        eap_identity=%any
        auto=start
#        rightsendcert=never
	lefthostaccess=yes
        compress=yes



Could someone give me advice?
Sorry for my "improvable" english.

More information about the Users mailing list