Hi. I've successfully installed StrongSwan 5.0.4 IPsec server on my Asus RT-AC66U Firmware:3.0.0.4.374.34_2 (Merlin build), followed tutorial on: http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) I'm trying to achieve this(diagram): https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png
I can connect to vpn server with my iPhone, using Cisco IPsec, but problem is that* I can't access any of my home LAN IPs*. Here is strongswan log file(removed IPs): https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswancharon.log Router firewall is temporary disabled. I probably need to add some iptables routes or something ? Can someone tell me what should I put for left/right subnet and left/right ip ? Here is my config: Ipsec.conf file: conn ios keyexchange=ikev1 authby=xauthrsasig xauth=server left=%defaultroute #left=%any leftfirewall=yes leftsubnet=0.0.0.0/0 #leftsubnet=192.168.2.0/24 leftcert=server.pem right=%any rightsubnet=10.0.0.0/24 #rightsubnet=192.168.2.0/24 rightsourceip=10.0.0.2 #rightsourceip=%dhcp rightcert=client.pem #forceencaps=yes auto=add strongswan.conf file: charon { # number of worker threads in charon threads = 16 dns1 = 192.168.2.1 plugins { dhcp { server = 192.168.2.1 } } } ipsec statusall command: ipsec statusall Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips): uptime: 27 minutes, since Nov 06 22:32:15 2013 malloc: sbrk 225280, mmap 0, used 201584, free 23696 worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity Virtual IP pools (size/online/offline): 10.0.0.2: 1/1/0 Listening IP addresses: <wan.ip.removed> 192.168.2.1 10.8.2.1 10.8.0.6 Connections: ios: %any...%any IKEv1 ios: local: [C=CA,... <removed>] uses public key authentication ios: cert: "C=CA,... <removed>" ios: remote: [C=CA, ... <removed>] uses public key authentication ios: cert: "C=CA,... <removed>" ios: remote: uses XAuth authentication: any ios: child: 0.0.0.0/0 === 10.0.0.0/24 TUNNEL Security Associations (1 up, 0 connecting): ios[4]: ESTABLISHED 23 seconds ago, <wan.ip.removed>[C=CA,... <removed>]...<iphone.wan.ip.removed>[C=CA,... <removed>] ios[4]: Remote XAuth identity: <removed> ios[4]: IKEv1 SPIs: 884d6e82b7e59a56_i a4cea15bd0aeff20_r*, public key reauthentication in 2 hours ios[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 ios{2}: INSTALLED, TUNNEL, ESP SPIs: c5177fea_i 070a1d6b_o ios{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes ios{2}: 0.0.0.0/0 === 10.0.0.2/32 Some more info: iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:1194 VSERVER all -- anywhere cpe-86-<removed> Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.2.0/24 anywhere MASQUERADE all -- !cpe-86-<removed> anywhere MASQUERADE all -- anywhere anywhere MARK match 0xd001 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain LOCALSRV (0 references) target prot opt source destination Chain VSERVER (1 references) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:1184 to:192.168.2.100:1194 DNAT udp -- anywhere anywhere udp dpt:1184 to:192.168.2.100:1194 VUPNP all -- anywhere anywhere Chain VUPNP (1 references) target prot opt source destination Chain YADNS (0 references) target prot opt source destination netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.8.0.5 * 255.255.255.255 UH 0 0 0 tun11 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun11 10.8.2.2 * 255.255.255.255 UH 0 0 0 tun21 86.58.119.1 * 255.255.255.255 UH 0 0 0 eth0 86.58.119.0 * 255.255.255.0 U 0 0 0 eth0 10.8.2.0 10.8.2.2 255.255.255.0 UG 0 0 0 tun21 192.168.2.0 * 255.255.255.0 U 0 0 0 br0 192.168.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun11 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default <removed> 0.0.0.0 UG 0 0 0 eth0 (ignore that tunnel to 192.168.1.0) What should I do to make that tunnel work ? Regards. Luka
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
