[strongSwan] Forecast plugin on a Mac/iOS environment (IKEv2)

Claus Sebastian Hinrichs 7k96bt3x at hinrichs.io
Fri Feb 3 16:36:34 CET 2017 

Hi!
I’m trying to get my strongSwan setup to work with forecast plugin in a Mac/iOS friendly environment.
I'm using the strongSwan 5.5.1 on LEDE Reboot r3267 and the native VPN clients on macOS Sierra and iOS 10.
The scenario is as follows:

  ------------                ----------------
 | VPN Client |______________| Router Gateway |______ _ _ _ _ _ _
 | macOS      |    tunnel    | LEDE r3267     |        internet
  ------------                ----------------
                                      |
                              -----------------
                             |                 |
                       ------------       ------------
                      | LAN client |     | LAN Server |
                       ------------       ------------

I successfully got the VPN working with the following setup on the LEDE router:

$ cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

conn %default
keyexchange=ikev2
left=%any
leftid=[vpn-gateway-fqdn]
leftcert=serverCert.pem
leftsubnet=0.0.0.0/0,::/0
leftfirewall=yes
right=%any
rightsourceip=%dhcp
rightsubnet=%dynamic,224.0.0.0/4,10.0.1.255
rightdns=10.0.1.1
mark=%unique
auto=add
ike=aes256-aes128-sha256-sha1-modp2048-modp1024
esp=aes256-aes128-sha1

conn x509
dpdaction=clear
#righcert=clientCert.pem
rightid=*@[domain]
authby=pubkey

conn eap-tls
leftauth=pubkey
#righcert=clientCert.pem
rightid=*@[domain]
rightauth=eap-tls
eap_identity=%any

$ cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
  threads = 8
  load_modular = yes
  plugins {
    dhcp {
      force_server_address = yes
      identity_lease = yes
      server = 10.0.1.255
    }
    forecast {
      interface = br-lan
      reinject = x509,eap-tls
    }
    include strongswan.d/charon/*.conf
  }
}
#include strongswan.d/*.conf

$ cat /etc/firewall.user
iptables -I INPUT --src 10.0.1.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD --src 10.0.1.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD --dst 10.0.1.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT --dst 10.0.1.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT

I can't use split-tunneling since macOS/iOS won't resolve names within the LAN unless I have leftsubnet=0.0.0.0/0. So all the traffic gets routed through the tunnel.

Thing is, when I add mark=%unique to ipsec.conf, I can still ping clients in the LAN, but internet traffic gets dropped when connected to the tunnel. If I remove mark=%unique, it works flawlessly, but traffic won't get marked, what I need for the forecast plugin.

I can see in the logs that the domain names are properly resolved, but it seems that the traffic going outside the local network originating in the VPN client, gets dropped.

Finally, when connected to the VPN with mark=%unique and the forecast plugin loaded, I can't see any broadcast/multicast from the VPN client. I mostly use avahi-daemon to broadcast shares within the LAN, but can't see any of them.

ip xfrm policy show
src 224.0.0.0/4 dst 0.0.0.0/0
dir fwd priority 198976
mark 0x2/0xffffffff
tmpl src [vpn-client-ip] dst [vpn-gateway-ip]
proto esp reqid 2 mode tunnel
src 224.0.0.0/4 dst 0.0.0.0/0
dir in priority 198976
mark 0x2/0xffffffff
tmpl src [vpn-client-ip] dst [vpn-gateway-ip]
proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 224.0.0.0/4
dir out priority 198976
mark 0x2/0xffffffff
tmpl src [vpn-gateway-ip] dst [vpn-client-ip]
proto esp reqid 2 mode tunnel
src 10.0.1.255/32 dst 0.0.0.0/0
dir fwd priority 191808
mark 0x2/0xffffffff
tmpl src [vpn-client-ip] dst [vpn-gateway-ip]
proto esp reqid 2 mode tunnel
src 10.0.1.255/32 dst 0.0.0.0/0
dir in priority 191808
mark 0x2/0xffffffff
tmpl src [vpn-client-ip] dst [vpn-gateway-ip]
proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 10.0.1.255/32
dir out priority 191808
mark 0x2/0xffffffff
tmpl src [vpn-gateway-ip] dst [vpn-client-ip]
proto esp reqid 2 mode tunnel
src 10.0.1.239/32 dst 0.0.0.0/0
dir fwd priority 191808
mark 0x2/0xffffffff
tmpl src [vpn-client-ip] dst [vpn-gateway-ip]
proto esp reqid 2 mode tunnel
src 10.0.1.239/32 dst 0.0.0.0/0
dir in priority 191808
mark 0x2/0xffffffff
tmpl src [vpn-client-ip] dst [vpn-gateway-ip]
proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 10.0.1.239/32
dir out priority 191808
mark 0x2/0xffffffff
tmpl src [vpn-gateway-ip] dst [vpn-client-ip]
proto esp reqid 2 mode tunnel

Any ideas?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170203/4f26f00c/attachment.html>

More information about the Users mailing list