Hi everybody and sorry for my really bad english.
i've a problem with StrongSwan on latest OpenWRT firmware.
I followed the tutorial on the wiki for setting-up a vpn server for connect to
my home lan trough my iphone and ipad (so IKEv1 and PureIPSec).
I can connect and login (x509 cert) but i cant pin't my lan machine (es. my
NAS).
Seems iptables block navigation from wan to lan also during pure ipsec
connection.
OpenWRT router ip: 192.168.1.254
Connection to internet: pppoe trough adsl modem
I've opened esp proto, 500 udp, 4500 udp, ah proto and added some policies for
forward ipsec traffics but seems that isn't enough (check bottom).
Someone can help me? Thanks since now strongswan team!
This is my ipsec.conf
config setup
strictcrlpolicy=no
nat_traversal=yes
charonstart=yes
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
leftfirewall=yes
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=serverCert.pem
rightsourceip=192.168.1.25
rightsubnet=192.168.1.0/24
right=%any
rightcert=clientCert.pem
pfs=no
auto=add
this is my firewall.users (a text file for custom rules loaded during firewall
start from OpenWRT):
/usr/sbin/iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
/usr/sbin/iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j
ACCEPT
/usr/sbin/iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j
ACCEPT
/usr/sbin/iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j
ACCEPT
this is my firewall.conf (the base file loaded fro firewall configuration every
start, after this openwrt load the firewall.users script):
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'drop_invalid' '1'
option 'forward' 'ACCEPT'
config 'zone'
option 'name' 'lan'
option 'network' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'network' 'wan'
option 'output' 'ACCEPT'
option 'mtu_fix' '1'
option 'masq' '1'
option 'input' 'REJECT'
option 'forward' 'REJECT'
config 'rule'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
option 'family' 'ipv4'
config 'rule'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'target' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'forwarding'
option 'dest' 'wan'
option 'src' 'lan'
config 'redirect'
option '_name' 'qBittorrent verso nas'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_dport' '6881'
option 'dest_ip' '192.168.1.1'
option 'dest_port' '6881'
option 'target' 'DNAT'
option 'dest' 'lan'
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'PPPTP VPN'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '1723'
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'accetta esp'
option 'src' 'wan'
option 'proto' 'esp'
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'accetta ike'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '500'
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'accetta nat-t'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '4500'
config 'rule'
option 'target' 'ACCEPT'
option '_name' 'accetta ah'
option 'src' 'wan'
option 'proto' 'ah'
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
