Ok, I was making good progress here right up until I ran into this snag. I have the Blackberry Z-10 authenticating and I can "see" internal things; I get correct DNS servers for the VPN server back to the client and I can resolve hostnames provided that I do so on the gateway machine.
The environment consists of a local network on em0 with IP 192.168.1.100/24, nominal clients in the range of .1 to .99 on that subnet. The same machine is both a firewall and NAT gateway to the outside world with an external interface on em1 at 70.169.168.7. Default is pointed at the other end of the connection off em1. The machine runs ipfw for firewall and NAT but cannot run ipfilter (it is deprecated on FreeBSD and will disappear either in the next release or the one after that.) A simplified view looks like this: PCs/Clients[192.168.1.1-1.99]=====|192.168.1.100 - Gateway/FW/NAT - 70.169.168.7|==== Internet (The actual internal network is considerably more complex in that it includes both wired and wireless client machines, but is bridged and thus that complexity is transparent to the gateway machine.) The goal is to have the VPN "road warrior" connection appear to be as if it is one of the local PCs when connected; it could be connecting from anywhere on the Internet and may be behind a NAT device (will be, most-likely, although that particular aspect of the problem appears to be handled properly in that it is the visible IP number that shows up below.) It is perfectly acceptable to have to stick another address range on the internal network address as an alias, or I can "carve out" a reasonable number of IPs from the 192.168.1 block (which is what I do with LT2P/PPTP.) This is what I have now: [root@NewFS /usr/local/etc]# more strongswan.conf # strongswan.conf - strongSwan configuration file charon { dns1 = 192.168.1.100 # number of worker threads in charon threads = 16 # send strongswan vendor ID? # send_vendor_id = yes plugins { sql { # loglevel to log into sql database loglevel = -1 # URI to the database # database = sqlite:///path/to/file.db # database = mysql://user:password@localhost/database } } # ... } pluto { } libstrongswan { # set to no, the DH exponent size is optimized # dh_exponent_ansi_x9_42 = no } And in ipsec.conf: [root@NewFS /usr/local/etc]# more ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections conn %default keyingtries=1 keyexchange=ikev2 authby=secret conn remote left=70.169.168.7 leftsubnet=192.168.1.0/24 right=%any rightsourceip=10.0.1.0/24 leftsourceip=192.168.1.100 auto=add "left" is my external IP address and leftsubnet is the internal subnet on the other interface. "em1" has the external address, "em0" has the internal. When I connect I now am able to authenticate and the phone is happy with the connection and shows that it is linked and stable. Looking at the gateway I have this in ipsec status: [root@NewFS /usr/local/etc]# ipsec status Security Associations (1 up, 0 connecting): remote[3]: ESTABLISHED 10 minutes ago, 70.169.168.7[70.169.168.7]...208.54.35.229[k...@denninger.net] remote{3}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca1ce720_i 058e0c34_o remote{3}: 192.168.1.0/24 === 10.0.1.1/32 The system is running NAT to handle internal clients behind it, along with an ipfw firewall. I _*do not*_ have access to ipfilter; that's deprecated in FreeBSD and while I might be able to support it right now I won't be in the future as it has officially been announced as EOL. When I first got the connection stable I could not see anything. Digging around with tcpdump I discovered that packets were coming in on the 10.x.x.x network _*but on em1*_, so I had to tell ipfw that this was permitted (normally I prevent all "internal only" addresses from passing through that interface.) Once I did this I could "see" anything that's on the host that is doing the translation itself. I could not, however, get out at all -- including seeing things on the local network (including the OTHER DNS server that is on the internal network at .200.) I thought this was due to the 10.x network being the source (despite the leftsource declaration) and not going through NAT since the packets are coming in on the wrong interface but it looks like I'm wrong on that; I looked up an internal web page on the same server and viewed it and was shocked to find this appear in the logs while doing so: _* *__*208.54.35.229*_ - - [20/Apr/2013:10:32:43 -0500] "GET / HTTP/1.1" 200 3028 "-" "Mo zilla/5.0 (BB10; Touch) AppleWebKit/537.10+ (KHTML, like Gecko) Version/10.0.10. 672 Mobile Safari/537.10+" _*208.54.35.229*_ - - [20/Apr/2013:10:32:44 -0500] "GET /email.gif HTTP/1.1" 304 - " http://www.denninger.net/" "Mozilla/5.0 (BB10; Touch) AppleWebKit/537.10+ (KHTML , like Gecko) Version/10.0.10.672 Mobile Safari/537.10+" Huh? 208.54.35.229 is the actual _*external*_ address from the other end of the tunnel; what IPSEC appears to have done is pass the actual _*visible*_ external address into my gateway machine. Now perhaps this is what I should expect it to do but it leads to an immediate problem because if that address gets out in a packet beyond the gateway host the replies will go to the wrong place -- obviously that won't work. What I expected was that the packets would be emitted from either 10.0.1.1 or (logically) 192.168.1.100, since that was declared as the left (local) source address. Nope. Looking on the phone I see no evidence of the external address at all; only the internal private server address, the internal subnet and the server's IP. So I guess the questions are: 1. Am I configured wrong on strongswan? That is, shouldn't the packets coming into the gateway machine, after decryption and processing, have the internal virtual IP that was assigned to them as their claimed source? 2. If not, how do you handle this situation? I looked over the configuration examples in the Wiki at http://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples and don't see an obvious way to obtain what I'm looking for here or an example config that applies to this sort of circumstance. In short what I want to be able to do is VPN into the local network _*as if I was a machine on it*_, so from all appearances it is as if the phone is _*inside*_ the local net. I should thus be able to both access local resources and get out to the Internet at large through the gateway, using its NAT capability. What am I missing? (PS: The non-IPSEC/IKEv2 way to do this for Win7 which uses PPTP is also configured on this host and works as expected, so I may be a bit "polluted" in my thinking in this regard. Please be a bit gentle if you can for that reason :-)) -- -- Karl Denninger /The Market Ticker ®/ <http://market-ticker.org> Cuda Systems LLC
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users