Hello Andreas, After using tcpdump I set all IPTables policies to "ACCEPT" and doing a flush of all rules lead to a working VPN.
Which IPtables rules do I have to set to allow IPSec connection handshake? Best regards, Renne On Sat, 12 Feb 2011 18:12:07 +0100, Andreas Steffen <[email protected]> wrote: > Hello Rene, > > strongSwan never sets up a tunnel based on incoming plaintext > packets. With auto=route only outgoing plaintext trigger the > setup of an IPsec tunnel. Packets from a subnet behind the > Fritzbox should cause the Fritzbox to initiate an IKE negotiation. > > In any case a tcpdump or wireshark log and a strongSwan log > with > > plutodebug="control" > > would help to check if any IKE packets are leaving the Fritzbox > and arriving at the strongSwan box. > > Best regards > > Andreas > > On 02/12/2011 05:02 PM, Rene Bartsch wrote: >> Hi, >> >> I'm new to IPSec and StrongSWAN, so a "Hello" to all list members! ;-) >> >> >> Setting up a VPN tunnel between two Fritzboxes and a Ubuntu server drives >> me crazy. >> >> Packets from the private subnet of the Ubuntu server lead to a VPN tunnel >> creation and everything working fine, but packets from the subnets of the >> Fritzboxes do not cause Strongswan to create a connection. >> >> Maybe someone can help me out here. >> >> >> Setup: >> >> >> 1x Ubuntu 10.04 LTS server, fixed public IP and Hostname, >> 192.168.176.0/24 >> private Subnet, StrongSWAN 4.3.2-1.1ubuntu1, IPTables firewall with >> "DROP" >> default policy for INPUT and FORWARD chains and "ACCEPT" for OUTPUT >> >> >> 1x AVM Fritzbox 7390, one dynamic public IP, ISP-forced DSL disconnection >> every 24 hours, DDNS-Hostname, 192.168.177.0/24 private Subnet, Internet >> via NAT >> >> >> 1x AVM Fritzbox 7170, one dynamic public IP, ISP-forced DSL disconnection >> every 24 hours, DDNS-Hostname, 192.168.178.0/24 private Subnet, Internet >> via NAT >> >> >> - all hosts on the private subnets shall be able to connect to each other >> - hosts on the Fritzboxes are able to reach public internet via NAT and >> local DSL >> - hosts in 192.168.176.0/24 shall not have any connection to public >> internet. >> >> >> >> Fritzbox VPN config: >> >> vpncfg { >> >> connections { >> >> enabled = yes; >> >> conn_type = conntype_lan; >> >> name = "xxx.xxx.xxx.xxx"; >> >> always_renew = no; >> >> reject_not_encrypted = no; >> >> dont_filter_netbios = yes; >> >> localip = 0.0.0.0; >> >> local_virtualip = 0.0.0.0; >> >> remoteip = xxx.xxx.xxx.xxx; >> >> remote_virtualip = 0.0.0.0; >> >> localid { >> >> fqdn = "xxx.dnsalias.net"; >> >> } >> >> remoteid { >> >> ipaddr = xxx.xxx.xxx.xxx; >> >> } >> >> mode = phase1_mode_idp; >> >> phase1ss = "all/all/all"; >> >> keytype = connkeytype_pre_shared; >> >> key = "xxxxxxxxxxxxxxxxxxxxxx"; >> >> cert_do_server_auth = no; >> >> use_nat_t = no; >> >> use_xauth = no; >> >> use_cfgmode = no; >> >> phase2localid { >> >> ipnet { >> >> ipaddr = 192.168.177.0; >> >> mask = 255.255.255.0; >> >> } >> >> } >> >> phase2remoteid { >> >> ipnet { >> >> ipaddr = 192.168.176.0; >> >> mask = 255.255.255.0; >> >> } >> >> } >> >> phase2ss = "esp-all-all/ah-none/comp-all/pfs"; >> >> accesslist = "permit ip any 192.168.176.0 255.255.255.0"; >> >> } >> >> ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", >> >> "udp 0.0.0.0:4500 0.0.0.0:4500"; >> >> } >> >> >> >> StrongSWAN config: >> >> >> # ipsec.conf - strongSwan IPsec configuration file >> >> # basic configuration >> >> config setup >> # plutodebug=all >> # crlcheckinterval=600 >> # strictcrlpolicy=yes >> # cachecrls=yes >> nat_traversal=no >> charonstart=yes >> plutostart=yes >> >> # Add connections here. >> >> # Sample VPN connections >> >> conn frankfurt-giessen >> left=xxx.xxx.xxx.xxx >> leftsubnet=192.168.176.0/24 >> leftfirewall=yes >> # >> ike=aes128-sha-modp1024 >> esp=aes128-sha1 >> # >> right=xxx.dnsalias.net >> [email protected] >> rightsubnet=192.168.177.0/24 >> # >> ikelifetime=4h >> keylife=1h >> # >> authby=secret >> auto=route >> >> >> >> ipsec.secrets: >> >> >> # This file holds shared secrets or RSA private keys for inter-Pluto >> # authentication. See ipsec_pluto(8) manpage, and HTML documentation. >> >> # RSA private key for this host, authenticating it to any other host >> # which knows the public part. Suitable public keys, for ipsec.conf, >> DNS, >> # or configuration of other implementations, can be extracted >> conveniently >> # with "ipsec showhostkey". >> >> # this file is managed with debconf and will contain the automatically >> created private key >> xxx.xxx.xxx.xxx @xxx.dnsalias.net: PSK "xxxxxxxxxxxxxxxxxxxxxx" >> #include /var/lib/strongswan/ipsec.secrets.incroot >> >> >> AVM provides Information about IPSec VPN: >> >> Security strategies for IKE1: >> http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_1.pdf >> >> Security strategies for IKE2: >> http://www.avm.de/de/Service/Service-Portale/Service-Portal/images/Redaktionelle_Grafiken/vpn/ike_2.pdf >> >> >> Best regards, >> >> Renne >> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
