Hi,
I have tried to setup an IPSec VPN server with Strongswan on my RT-N16 to be able to connect to my home network from my iPad via a VPN tunnel. I am able to successfully connect to the VPN server from my iPad, but when connected, I can't reach any IP:s on my internal network (or on the Internet at all).
Any help with troubleshooting this problem would be really appreciated.
What I have done is basically to:
- Flash my router with Shibby build 102 (AIO)
- Download Strongswan 5 packages via entware
- Set up Strongswan and certificates according to iOS howto on strongswan.org
- Manually load IPSec kernel modules (except ipv6 related)
- Manually start IPSec
- Allow incoming traffic on udp port 500/4500 with iptables
Result:
- My iPad can successfully connect to the VPN
- I can ping my iPad (192.168.9.30) from my router (192.168.9.1)
- I CAN'T ping my iPad from any other computer on my network (192.168.9.0/24)
- I CAN'T ping my router or any other IP on my network from my iPad when connected via VPN
- I am unable to reach both internal and external (Internet) resources from my iPad when connected via VPN
- I have turned on logging of dropped incoming/outgoing packages on the router, but no packages are being dropped by the firewall.
Thought it might be a routing or NAT issue, but not sure where to start. Tried a lot of different iptables configurations but no luck so far.
Some background info
- The router is connected to the Internet with a fixed IP address
- My internal network is 192.168.9.0/24
- All my computers on the internal network are assigned static IP addresses via DHCP, based on MAC address
- Apart from that, I use more or less a standard setup with default settings in Tomato for firewall, routing, VLAN etc.
- My iPad is connected to the Internet via 3G. My ISP seems to use NAT as I am assigned a different IP address than I get with whatismyip.com.
ipsec.conf
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=******** (masked)
right=%any
rightsourceip=192.168.9.30
rightid="***********" (masked)
auto=add
Firewall rules
iptables -I INPUT -p udp —dport 500 -j ACCEPT
iptables -I INPUT -p 50 -j ACCEPT
iptables -I INPUT -p udp —dport 4500 -j ACCEPT
iptables -I OUTPUT -d 0.0.0.0/0 -p udp —dport 500 -j ACCEPT
iptables -I OUTPUT -d 0.0.0.0/0 -p 50 -j ACCEPT
iptables -I OUTPUT -d 0.0.0.0/0 -p udp —dport 4500 -j ACCEPT