Hello Rene, strongSwan never sets up a tunnel based on incoming plaintext packets. With auto=route only outgoing plaintext trigger the setup of an IPsec tunnel. Packets from a subnet behind the Fritzbox should cause the Fritzbox to initiate an IKE negotiation.
In any case a tcpdump or wireshark log and a strongSwan log with plutodebug="control" would help to check if any IKE packets are leaving the Fritzbox and arriving at the strongSwan box. Best regards Andreas On 02/12/2011 05:02 PM, Rene Bartsch wrote: > Hi, > > I'm new to IPSec and StrongSWAN, so a "Hello" to all list members! ;-) > > > Setting up a VPN tunnel between two Fritzboxes and a Ubuntu server drives > me crazy. > > Packets from the private subnet of the Ubuntu server lead to a VPN tunnel > creation and everything working fine, but packets from the subnets of the > Fritzboxes do not cause Strongswan to create a connection. > > Maybe someone can help me out here. > > > Setup: > > > 1x Ubuntu 10.04 LTS server, fixed public IP and Hostname, 192.168.176.0/24 > private Subnet, StrongSWAN 4.3.2-1.1ubuntu1, IPTables firewall with "DROP" > default policy for INPUT and FORWARD chains and "ACCEPT" for OUTPUT > > > 1x AVM Fritzbox 7390, one dynamic public IP, ISP-forced DSL disconnection > every 24 hours, DDNS-Hostname, 192.168.177.0/24 private Subnet, Internet > via NAT > > > 1x AVM Fritzbox 7170, one dynamic public IP, ISP-forced DSL disconnection > every 24 hours, DDNS-Hostname, 192.168.178.0/24 private Subnet, Internet > via NAT > > > - all hosts on the private subnets shall be able to connect to each other > - hosts on the Fritzboxes are able to reach public internet via NAT and > local DSL > - hosts in 192.168.176.0/24 shall not have any connection to public > internet. > > > > Fritzbox VPN config: > > vpncfg { > > connections { > > enabled = yes; > > conn_type = conntype_lan; > > name = "xxx.xxx.xxx.xxx"; > > always_renew = no; > > reject_not_encrypted = no; > > dont_filter_netbios = yes; > > localip = 0.0.0.0; > > local_virtualip = 0.0.0.0; > > remoteip = xxx.xxx.xxx.xxx; > > remote_virtualip = 0.0.0.0; > > localid { > > fqdn = "xxx.dnsalias.net"; > > } > > remoteid { > > ipaddr = xxx.xxx.xxx.xxx; > > } > > mode = phase1_mode_idp; > > phase1ss = "all/all/all"; > > keytype = connkeytype_pre_shared; > > key = "xxxxxxxxxxxxxxxxxxxxxx"; > > cert_do_server_auth = no; > > use_nat_t = no; > > use_xauth = no; > > use_cfgmode = no; > > phase2localid { > > ipnet { > > ipaddr = 192.168.177.0; > > mask = 255.255.255.0; > > } > > } > > phase2remoteid { > > ipnet { > > ipaddr = 192.168.176.0; > > mask = 255.255.255.0; > > } > > } > > phase2ss = "esp-all-all/ah-none/comp-all/pfs"; > > accesslist = "permit ip any 192.168.176.0 255.255.255.0"; > > } > > ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", > > "udp 0.0.0.0:4500 0.0.0.0:4500"; > > } > > > > StrongSWAN config: > > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > # plutodebug=all > # crlcheckinterval=600 > # strictcrlpolicy=yes > # cachecrls=yes > nat_traversal=no > charonstart=yes > plutostart=yes > > # Add connections here. > > # Sample VPN connections > > conn frankfurt-giessen > left=xxx.xxx.xxx.xxx > leftsubnet=192.168.176.0/24 > leftfirewall=yes > # > ike=aes128-sha-modp1024 > esp=aes128-sha1 > # > right=xxx.dnsalias.net > rightid=@xxx.dnsalias.net > rightsubnet=192.168.177.0/24 > # > ikelifetime=4h > keylife=1h > # > authby=secret > auto=route > > > > ipsec.secrets: > > > # This file holds shared secrets or RSA private keys for inter-Pluto > # authentication. See ipsec_pluto(8) manpage, and HTML documentation. > > # RSA private key for this host, authenticating it to any other host > # which knows the public part. Suitable public keys, for ipsec.conf, DNS, > # or configuration of other implementations, can be extracted conveniently > # with "ipsec showhostkey". > > # this file is managed with debconf and will contain the automatically > created private key > xxx.xxx.xxx.xxx @xxx.dnsalias.net: PSK "xxxxxxxxxxxxxxxxxxxxxx" > #include /var/lib/strongswan/ipsec.secrets.incroot > > > AVM provides Information about IPSec VPN: > > Security strategies for IKE1: > http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_1.pdf > > Security strategies for IKE2: > http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_2.pdf > > > Best regards, > > Renne > > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users