Hi I would suggest you to do one more thing:
- Remove the "leftfirewall=yes" from the ipsec.conf on both peers (if it is mentioned on remote peer too) - Manually add/paste the mentioned iptable rules which is basically simulating a split-tunnel scenario as shown in the attached png file. Also add the forward-chain rules with br-lan interface also, if possible - Logically speaking it should get solved with above steps But looking at your device config (the interfaces mentioned), i guess the issues may be because: - are there VLANs/sub-interfaces/alias-interfaces defined on Eth0? - Is there a Physical lan interface on your device? such as eth1 or eth2 (i.e other than eth0 which is i guess the wan interface) - why are you bridging the wan interface (eth0.2 or pppoe-wan) with lan (eth0.1). Although it should work, but the ipsec flow gets sometimes disrupted due to routing issues, when everything is bridged together. - I would generally keep the wan interface separate/standalone, and instead bridge the lan and wifi interface together (and i do run dhcp-server on the br0 interface to cater to the lan-side ethernet and wifi clients) hope this works thanks rajiv On Mon, Oct 3, 2011 at 6:57 PM, Andrea Nottoli <[email protected]>wrote: > Hi again, > It doesn't works :( > I still can ping router and also manage it trough webGui, but can't reach > other machines :( > > I've edited the suggested rules for adjust to my ifconfig but without > success, other ideas? > Sure, the problem is related to nat from ppp/wan to lan and vice-versa. > > This is my ifconfig > wan interface is eth0.2, wih a pppoe-wan connection over it. > eth0.1 is the lan interface, bridget (br-lan) with eth0.2. > > so i've edited the rules suggested by Rajiv with eth0.2 instead eth0 (wan) > and eth0.1 instead eth2 (lan). Also changed ppp0 with pppoe-wan according to > ifconfig (below). > > Thanks again for your help, hope to finally solve this strange (and > abnormal) issue with my ipsec config. > > > > root@OpenWrt:~# ifconfig > br-lan Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52 > inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0 > inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:9450776 errors:0 dropped:0 overruns:0 frame:0 > TX packets:21936047 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:1169972374 (1.0 GiB) TX bytes:495910714 (472.9 MiB) > > eth0 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52 > inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:32253959 errors:0 dropped:0 overruns:0 frame:0 > TX packets:31904139 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:2811514789 (2.6 GiB) TX bytes:1757630697 (1.6 GiB) > Interrupt:4 > > eth0.1 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:9841290 errors:0 dropped:0 overruns:0 frame:0 > TX packets:22001555 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:1856031729 (1.7 GiB) TX bytes:306500736 (292.3 MiB) > > eth0.2 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52 > inet6 addr: fe80::76ea:3aff:fee4:4752/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:22412477 errors:0 dropped:0 overruns:0 frame:0 > TX packets:9902574 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:503906886 (480.5 MiB) TX bytes:1451128324 (1.3 GiB) > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:58 errors:0 dropped:0 overruns:0 frame:0 > TX packets:58 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:5341 (5.2 KiB) TX bytes:5341 (5.2 KiB) > > mon.wlan0 Link encap:UNSPEC HWaddr > 74-EA-3A-E4-47-52-00-00-00-00-00-00-00-00-00-00 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:55353 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:8881039 (8.4 MiB) TX bytes:0 (0.0 B) > > pppoe-wan Link encap:Point-to-Point Protocol > inet addr:79.XX.XX.XXX P-t-P:192.168.100.1 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 > RX packets:1818589 errors:0 dropped:0 overruns:0 frame:0 > TX packets:713853 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:3 > RX bytes:2430544726 (2.2 GiB) TX bytes:56985105 (54.3 MiB) > > wlan0 Link encap:Ethernet HWaddr 74:EA:3A:E4:47:52 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:494648 errors:0 dropped:0 overruns:0 frame:0 > TX packets:837753 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:72276624 (68.9 MiB) TX bytes:1022316479 (974.9 MiB) > > > > > > > Il giorno 27/set/2011, alle ore 09:47, Rajiv Kulkarni ha scritto: > > Hi > > Assuming that you have NAT (MASQUERADE) enabled on wan (say eth0 interface) > of your home router (with a pppoe connection to internet) and the LAN > interface is identified as eth2, then i would request you to please try out > the below iptable rules also: > > iptables -A INPUT -p esp -j ACCEPT > iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT > iptables -A OUTPUT -p esp -j ACCEPT > iptables -A OUTPUT -p udp -m udp --dport 500 -j ACCEPT > iptables -t nat -I POSTROUTING 1 -p esp -j ACCEPT > iptables -t nat -I POSTROUTING 2 -s 192.168.1.0/24 -d 172.20.0.0/16 -j > ACCEPT > iptables -I FORWARD 3 -i eth2 -o ppp0 -j ACCEPT > iptables -I FORWARD 4 -i eth2 -o eth0 -j ACCEPT > iptables -I FORWARD 5 -i ppp0 -o eth2 -j ACCEPT > iptables -I FORWARD 6 -i eth0 -o eth2 -j ACCEPT > > please Note: the rules for the nat table should be added before the > MASQUERADE rule, if any. hence the numbers 1 and 2. > > The basic reason i think is that the packets aren't getting forwarded > across the wan to lan interfaces and vice-versa, once the ipsec tunnel is > up. > > 1. you can try only ipsec first by disabling firewall completely > 2. next enable the existing firewall rules and ipsec and see where its > getting dropped. also try to add some the rules mentioned above. > > i think it should work if 1 above works > > -rajiv > > > > On Mon, Sep 26, 2011 at 8:08 PM, Andrea Nottoli > <[email protected]>wrote: > >> Hi everybody and sorry for my really bad english. >> >> i've a problem with StrongSwan on latest OpenWRT firmware. >> I followed the tutorial on the wiki for setting-up a vpn server for >> connect to my home lan trough my iphone and ipad (so IKEv1 and PureIPSec). >> I can connect and login (x509 cert) but i cant pin't my lan machine (es. >> my NAS). >> Seems iptables block navigation from wan to lan also during pure ipsec >> connection. >> >> OpenWRT router ip: 192.168.1.254 >> Connection to internet: pppoe trough adsl modem >> >> >> I've opened esp proto, 500 udp, 4500 udp, ah proto and added some policies >> for forward ipsec traffics but seems that isn't enough (check bottom). >> >> >> Someone can help me? Thanks since now strongswan team! >> >> >> >> >> This is my ipsec.conf >> >> config setup >> strictcrlpolicy=no >> nat_traversal=yes >> charonstart=yes >> >> conn ios >> keyexchange=ikev1 >> authby=xauthrsasig >> xauth=server >> leftfirewall=yes >> left=%defaultroute >> leftsubnet=0.0.0.0/0 >> leftcert=serverCert.pem >> rightsourceip=192.168.1.25 >> rightsubnet=192.168.1.0/24 >> right=%any >> rightcert=clientCert.pem >> pfs=no >> auto=add >> >> >> >> >> >> this is my firewall.users (a text file for custom rules loaded during >> firewall start from OpenWRT): >> >> /usr/sbin/iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j >> ACCEPT >> /usr/sbin/iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp >> -j ACCEPT >> /usr/sbin/iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp >> -j ACCEPT >> /usr/sbin/iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp >> -j ACCEPT >> >> >> >> >> this is my firewall.conf (the base file loaded fro firewall configuration >> every start, after this openwrt load the firewall.users script): >> config 'defaults' >> option 'syn_flood' '1' >> option 'input' 'ACCEPT' >> option 'output' 'ACCEPT' >> option 'drop_invalid' '1' >> option 'forward' 'ACCEPT' >> >> config 'zone' >> option 'name' 'lan' >> option 'network' 'lan' >> option 'input' 'ACCEPT' >> option 'output' 'ACCEPT' >> option 'forward' 'REJECT' >> >> config 'zone' >> option 'name' 'wan' >> option 'network' 'wan' >> option 'output' 'ACCEPT' >> option 'mtu_fix' '1' >> option 'masq' '1' >> option 'input' 'REJECT' >> option 'forward' 'REJECT' >> >> config 'rule' >> option 'src' 'wan' >> option 'proto' 'udp' >> option 'dest_port' '68' >> option 'target' 'ACCEPT' >> option 'family' 'ipv4' >> >> config 'rule' >> option 'src' 'wan' >> option 'proto' 'icmp' >> option 'icmp_type' 'echo-request' >> option 'target' 'ACCEPT' >> >> config 'include' >> option 'path' '/etc/firewall.user' >> >> config 'forwarding' >> option 'dest' 'wan' >> option 'src' 'lan' >> >> config 'redirect' >> option '_name' 'qBittorrent verso nas' >> option 'src' 'wan' >> option 'proto' 'tcp' >> option 'src_dport' '6881' >> option 'dest_ip' '192.168.1.1' >> option 'dest_port' '6881' >> option 'target' 'DNAT' >> option 'dest' 'lan' >> >> config 'rule' >> option 'target' 'ACCEPT' >> option '_name' 'PPPTP VPN' >> option 'src' 'wan' >> option 'proto' 'udp' >> option 'dest_port' '1723' >> >> config 'rule' >> option 'target' 'ACCEPT' >> option '_name' 'accetta esp' >> option 'src' 'wan' >> option 'proto' 'esp' >> >> config 'rule' >> option 'target' 'ACCEPT' >> option '_name' 'accetta ike' >> option 'src' 'wan' >> option 'proto' 'udp' >> option 'dest_port' '500' >> >> config 'rule' >> option 'target' 'ACCEPT' >> option '_name' 'accetta nat-t' >> option 'src' 'wan' >> option 'proto' 'udp' >> option 'dest_port' '4500' >> >> config 'rule' >> option 'target' 'ACCEPT' >> option '_name' 'accetta ah' >> option 'src' 'wan' >> option 'proto' 'ah' >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users >> > > >
<<attachment: C1K-EVM - IPSec with NAPT.png>>
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
