5

Hi I'm running Barrier Breaker version of OpenWRT and I have setup a VPN according to: http://wiki.openwrt.org/inbox/strongswan.howto I can connect to the VPN with my iPhone or Mac (to 10.10.1.0/24 network). I can also connect from Windows 7. An IP is allocated to the client successfully using DHCP. Once connected I can't access anything on the network. /etc/firewall.user contains:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT
# Enable ssh and HTTP to router
iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT 1 -p tcp --sport 22 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT 1 -p tcp --sport 80 -j ACCEPT

/etc/ipsec.conf contains:

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
    # strictcrlpolicy=yes
    # uniqueids = no
conn ios                                              
    keyexchange=ikev1                             
    authby=xauthrsasig                            
    xauth=server                                  
    left=%any                                     
    leftsubnet=0.0.0.0/0                          
    leftfirewall=yes                              
    leftcert=serverCert.pem                       
    right=%any                                    
    rightsubnet=10.10.1.0/24                      
    rightsourceip=%dhcp                           
    rightcert=clientCert.pem                      
    forceencaps=yes                               
    auto=add                                      

conn %default                                         
    keyexchange=ikev2                                 
    ike=aes256-sha1-modp1024!                         
    esp=aes256-sha1!                                  
    dpdaction=clear                                   
    dpddelay=300s                                     
    rekey=no       
conn win7                                             
    left=%any                                         
    leftsubnet=0.0.0.0/0                              
    leftauth=pubkey                                   
    leftcert=serverCert.pem                           
    leftid=@xxx.yyy.com                       
    leftfirewall=yes                                  
    right=%any                                        
    rightauth=eap-mschapv2                            
    rightsendcert=never                               
    rightsubnet=10.10.1.0/24                          
    rightsourceip=%dhcp                               
    eap_identity=%any                                 
    auto=add     

(The real domain name of the router has been replaced above with xxx.yyy.com).

/etc/strongswan.conf contains:

# strongswan.conf - strongSwan configuration file
charon {
    dns1 = 10.10.1.1
    # number of worker threads in charon
    threads = 16
    # send strongswan vendor ID?
    # send_vendor_id = yes
    plugins {
            dhcp {
                    server = 10.10.1.1
            }
            sql {                     
                    # loglevel to log into sql database
                    loglevel = -1                      

                    # URI to the database              
                    # database = sqlite:///path/to/file.db
                    # database = mysql://user:password@localhost/database
            }                                                            
    }                                                                    

    # ...                                                                
}                                                                            

pluto {                                                                      

}                                                                            

libstrongswan {                                                              

    #  set to no, the DH exponent size is optimized                      
    #  dh_exponent_ansi_x9_42 = no                                       
}

When I connect with both Windows 7 and also iPhone ipsec status on router shows:

Security Associations (2 up, 0 connecting):
     ios[5]: ESTABLISHED 4 seconds ago, xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=xxx.xxx.com]...xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=client]
     ios{5}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c8618e27_i 0923f471_o
     ios{5}:   0.0.0.0/0 === 10.10.1.89/32 
    win7[4]: ESTABLISHED 45 seconds ago, xxx.xxx.xxx.xxx[xxx.xxx.com]...xxx.xxx.xxx[192.168.191.131]
    win7{4}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cae3b4a6_i 67f3eaf0_o
    win7{4}:   0.0.0.0/0 === 10.10.1.0/24

(Sensitive ips and domain names replaced with xxx)

Any ideas on why packets are not being routed over the vpn?

Could this be a NAT thing?

Update: I get the following when trying to install strongswan on Barrier Breaker:

opkg install strongswan-full
Installing strongswan-full (5.0.4-1) to root...
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/strongswan-full_5.0.4-1_ar71xx.ipk.
Multiple packages (kmod-crypto-hash and kmod-crypto-hash) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (kmod-crypto-manager and kmod-crypto-manager) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (kmod-crypto-core and kmod-crypto-core) providing same name marked HOLD or PREFER. Using latest.
Collected errors:
 * satisfy_dependencies_for: Cannot satisfy the following dependencies for strongswan-full:
 *      kernel (= 3.10.18-1-0de2f8afeb2eecb34eeca6f54b460523) * 
 * opkg_install_cmd: Cannot install package strongswan-full.
Greg Pagendam-Turner
  • 873
  • 2
  • 12
  • 19
  • You should remove `rightsubnet=10.10.1.0/24` in both configs. Also, is the _farp_ plugin loaded? (You can check with `ipsec statusall`) – ecdsa May 07 '13 at 09:45
  • Removed rightsubnet – Greg Pagendam-Turner May 08 '13 at 00:41
  • farp is loaded: loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck uci addrblock unity – Greg Pagendam-Turner May 08 '13 at 00:42
  • rightsubnet does not resolve the issue – Greg Pagendam-Turner May 08 '13 at 00:50
  • Quite bizarre that it should be tied to a specific kernel version. I'd probably build an image with ImageBuilder and add strongswan to it. Could also be your image is out of date. Barrier Breaker does change _nightly_, of course. – Michael Hampton Nov 29 '13 at 05:10
  • I had a similar problem with ocserv on Chaos Calamar. I used tcpdump on tunel interface and oh the bridge interface for local access. You need to run the 2 tcpdumps for those interfaces at the same time. You can also add logging in the iptables rules to see which one is matched. – Mircea Vutcovici Sep 23 '16 at 19:52

1 Answers1

0

I've exactly same problem. Did you found solution for this issue yet ? Some gurus said, that I need to masquerade traffic. Try following:

iptables -I POSTROUTING 1 -s 10.10.1.0/24 -j MASQUERADE -t nat
iptables -I FORWARD -m conntrack --ctstate SNAT -j ACCEPT
iptables -I FORWARD -m conntrack -s 10.10.1.0/24 --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

It didn't work for me, but maybe it will work for you.

OldFox
  • 121
  • 3
  • The openwrt guys said I needed a later version of firmware. I've since tried to install strongswan on the new firmware but a dependency could not be downloaded. – Greg Pagendam-Turner Nov 18 '13 at 22:49