Help with troubleshooting IPSec Strongswan setup

Forum » Discussions / General » Help with troubleshooting IPSec Strongswan setup

Started by:

Christian (guest)
Date: 16 Dec 2012 14:57
Number of posts: 5

RSS: New posts

Unfold All Fold All More Options

Fold

Help with troubleshooting IPSec Strongswan setup

Christian (guest) 16 Dec 2012 14:57

Hi,

I have tried to setup an IPSec VPN server with Strongswan on my RT-N16 to be able to connect to my home network from my iPad via a VPN tunnel. I am able to successfully connect to the VPN server from my iPad, but when connected, I can't reach any IP:s on my internal network (or on the Internet at all).

Any help with troubleshooting this problem would be really appreciated.

What I have done is basically to:

Flash my router with Shibby build 102 (AIO)
Download Strongswan 5 packages via entware
Set up Strongswan and certificates according to iOS howto on strongswan.org
Manually load IPSec kernel modules (except ipv6 related)
Manually start IPSec
Allow incoming traffic on udp port 500/4500 with iptables

Result:

My iPad can successfully connect to the VPN
I can ping my iPad (192.168.9.30) from my router (192.168.9.1)
I CAN'T ping my iPad from any other computer on my network (192.168.9.0/24)
I CAN'T ping my router or any other IP on my network from my iPad when connected via VPN
I am unable to reach both internal and external (Internet) resources from my iPad when connected via VPN
I have turned on logging of dropped incoming/outgoing packages on the router, but no packages are being dropped by the firewall.

Thought it might be a routing or NAT issue, but not sure where to start. Tried a lot of different iptables configurations but no luck so far.

Some background info

The router is connected to the Internet with a fixed IP address
My internal network is 192.168.9.0/24
All my computers on the internal network are assigned static IP addresses via DHCP, based on MAC address
Apart from that, I use more or less a standard setup with default settings in Tomato for firewall, routing, VLAN etc.
My iPad is connected to the Internet via 3G. My ISP seems to use NAT as I am assigned a different IP address than I get with whatismyip.com.

ipsec.conf

conn ios 
    keyexchange=ikev1 
    authby=xauthrsasig 
    xauth=server 
    left=%defaultroute 
    leftsubnet=0.0.0.0/0 
    leftfirewall=yes 
    leftcert=******** (masked)
    right=%any 
    rightsourceip=192.168.9.30 
    rightid="***********" (masked)
    auto=add

Firewall rules
iptables -I INPUT -p udp —dport 500 -j ACCEPT
iptables -I INPUT -p 50 -j ACCEPT
iptables -I INPUT -p udp —dport 4500 -j ACCEPT
iptables -I OUTPUT -d 0.0.0.0/0 -p udp —dport 500 -j ACCEPT
iptables -I OUTPUT -d 0.0.0.0/0 -p 50 -j ACCEPT
iptables -I OUTPUT -d 0.0.0.0/0 -p udp —dport 4500 -j ACCEPT

Options

Unfold Help with troubleshooting IPSec Strongswan setup by

Christian (guest), 16 Dec 2012 14:57

Fold

Christian (guest) 22 Dec 2012 10:28

Still no success… Trying to figure out if my problem might be related to a missing ipsec/iptables plugin and/or how tomatousb handles iptables and that this somehow prevents nat traversal or routing from working correctly.

After starting strongswan, I can see in the log that the following modules are loaded:

loaded plugins: charon test-vectors pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic

However, there are also some error messages related to plugins that can't be loaded:

plugin 'curl' failed to load: File not found
plugin 'ldap' failed to load: File not found
plugin 'mysql' failed to load: File not found
plugin 'sqlite' failed to load: File not found
opening AF_ALG socket failed: Address family not supported by protocol
plugin 'agent' failed to load: File not found
plugin 'cmac' failed to load: File not found
plugin 'ctr' failed to load: File not found
plugin 'ccm' failed to load: File not found
plugin 'gcm' failed to load: File not found
plugin 'attr-sql' failed to load: File not found
plugin 'load-tester' failed to load: File not found
plugin 'kernel-pfkey' failed to load: File not found
plugin 'kernel-klips' failed to load: File not found
plugin 'socket-raw' failed to load: File not found
plugin 'socket-dynamic' failed to load: File not found
plugin 'farp' failed to load: File not found
plugin 'smp' failed to load: File not found
plugin 'sql' failed to load: File not found
plugin 'eap-identity' failed to load: File not found
plugin 'eap-md5' failed to load: File not found
plugin 'eap-mschapv2' failed to load: File not found
plugin 'xauth-eap' failed to load: File not found
plugin 'dhcp' failed to load: File not found
plugin 'ha' failed to load: File not found
plugin 'whitelist' failed to load: File not found
plugin 'led' failed to load: File not found
plugin 'duplicheck' failed to load: File not found
plugin 'coupling' failed to load: File not found
plugin 'addrblock' failed to load: File not found

Not sure if any of these missing plugins are critical for my setup or not…

Then, the iptables configuration in tomatousb confuses me…
When checking iptables with iptables -nvL I get the following result:

Chain INPUT (policy DROP 29 packets, 856 bytes) 
 pkts bytes target     prot opt in     out     source               destination          
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:4500  
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:500  
    1    44 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID  
  466 98332 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED  
    2   183 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            
  143 10040 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            

Chain FORWARD (policy DROP 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination          
 1789  996K            all  --  *      *       0.0.0.0/0            0.0.0.0/0           account: network/netmask: 192.168.9.0/255.255.255.0 name: lan  
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0            
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID  
  154  9152 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU  
 1712  991K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED  
    0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            
   77  4620 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0            
   77  4620 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            

Chain OUTPUT (policy ACCEPT 702 packets, 327K bytes) 
 pkts bytes target     prot opt in     out     source               destination          

Chain wanin (1 references) 
 pkts bytes target     prot opt in     out     source               destination          

Chain wanout (1 references) 
 pkts bytes target     prot opt in     out     source               destination

Not sure how these wanin/wanout chains etc. are supposed to work, but when running iptables -nvL -t nat, I get this result:

Chain PREROUTING (policy ACCEPT 474 packets, 73403 bytes) 
 pkts bytes target     prot opt in     out     source               destination          
    2   100 WANPREROUTING  all  --  *      *       0.0.0.0/0            [**MY_EXTERNAL_IP**]         
    0     0 DROP       all  --  vlan2  *       0.0.0.0/0            192.168.9.0/24       

Chain POSTROUTING (policy ACCEPT 2 packets, 183 bytes) 
 pkts bytes target     prot opt in     out     source               destination          
  155  9698 MASQUERADE  all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0            
    0     0 SNAT       all  --  *      br0     192.168.9.0/24       192.168.9.0/24      to:192.168.9.1  

Chain OUTPUT (policy ACCEPT 80 packets, 5261 bytes) 
 pkts bytes target     prot opt in     out     source               destination          

Chain WANPREROUTING (1 references) 
 pkts bytes target     prot opt in     out     source               destination          
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           to:192.168.9.1

I thought that maybe I need to the following ipsec policy in iptables:
iptables -t nat -I POSTROUTING 1 -o vlan2 -m policy —dir out —pol ipsec -j ACCEPT

But it only gives the following result:

iptables: No chain/target/match by that name

Am I not supposed to be able to add iptables ipsec policies to allow ipsec traffic?

Options

Unfold by

Christian (guest), 22 Dec 2012 10:28

Fold

Simon (guest) 16 Jan 2013 10:28

Hi,

Have you tried running insmod xt_policy and bring the vpn up again and then try the command?

Simon

Options

Unfold by

Simon (guest), 16 Jan 2013 10:28

Fold

Re: Help with troubleshooting IPSec Strongswan setup

Lukapple 10 Nov 2013 10:57

Hi.
I've exactly same problem.
command: insmod xt_policy fixed that "iptables: No chain/target/match by that name" error. Thanks Simon.
And now when I connect to VPN, following rules are created:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  eth0   *       10.0.0.2             0.0.0.0/0           policy match dir in pol ipsec reqid 1 proto 50 
2        0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            10.0.0.2            policy match dir out pol ipsec reqid 1 proto 50

My config:

conn %default                                                                                                                                                                                             
        keyexchange=ikev1                                                                                             
        authby=xauthrsasig                                                                                            
        xauth=server                                                                                                  

conn ios                                                                                                              
       left=%defaultroute                                                                                             
       leftsubnet=0.0.0.0/0                                                                                           
       leftcert=serverCert.pem                                                                                    
       leftfirewall=yes                                                                                               
       right=%any                                                                                                     
       rightsubnet=10.0.0.0/24                                                                                        
       rightsourceip=10.0.0.2                                                                                         
       auto=add                                                                                                       
       rightcert=clientCert.pem

But I still can't access my LAN (192.168.2.0/24) or ping my phone's virtual IP 10.0.0.2.
Any idea what to try next ?

Options

Unfold Re: Help with troubleshooting IPSec Strongswan setup by

Lukapple, 10 Nov 2013 10:57

Fold

Re: Help with troubleshooting IPSec Strongswan setup

Robbie Crash 20 Dec 2013 08:16

Have you added the routes?

I had the same problem with the automated pptp vpn setup. Firewall rules were fine, router could do what it should, but nothing else could. Needed to add static routes to the router:

route add -net 192.168.2.0 netmask 255.255.255.0 <vInterfacee name>

Get the interface name from ifconfig.

Options

Unfold Re: Help with troubleshooting IPSec Strongswan setup by

Robbie Crash, 20 Dec 2013 08:16

New Post

TomatoUSB

Unleash your router