Hi I'm running Barrier Breaker version of OpenWRT and I have setup a VPN according to: http://wiki.openwrt.org/inbox/strongswan.howto I can connect to the VPN with my iPhone or Mac (to 10.10.1.0/24 network). I can also connect from Windows 7. An IP is allocated to the client successfully using DHCP. Once connected I can't access anything on the network. /etc/firewall.user contains:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
# Enable ssh and HTTP to router
iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT 1 -p tcp --sport 22 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT 1 -p tcp --sport 80 -j ACCEPT
/etc/ipsec.conf contains:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%any
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=%any
rightsubnet=10.10.1.0/24
rightsourceip=%dhcp
rightcert=clientCert.pem
forceencaps=yes
auto=add
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
conn win7
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=serverCert.pem
leftid=@xxx.yyy.com
leftfirewall=yes
right=%any
rightauth=eap-mschapv2
rightsendcert=never
rightsubnet=10.10.1.0/24
rightsourceip=%dhcp
eap_identity=%any
auto=add
(The real domain name of the router has been replaced above with xxx.yyy.com).
/etc/strongswan.conf contains:
# strongswan.conf - strongSwan configuration file
charon {
dns1 = 10.10.1.1
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
dhcp {
server = 10.10.1.1
}
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
When I connect with both Windows 7 and also iPhone ipsec status on router shows:
Security Associations (2 up, 0 connecting):
ios[5]: ESTABLISHED 4 seconds ago, xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=xxx.xxx.com]...xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=client]
ios{5}: INSTALLED, TUNNEL, ESP in UDP SPIs: c8618e27_i 0923f471_o
ios{5}: 0.0.0.0/0 === 10.10.1.89/32
win7[4]: ESTABLISHED 45 seconds ago, xxx.xxx.xxx.xxx[xxx.xxx.com]...xxx.xxx.xxx[192.168.191.131]
win7{4}: INSTALLED, TUNNEL, ESP in UDP SPIs: cae3b4a6_i 67f3eaf0_o
win7{4}: 0.0.0.0/0 === 10.10.1.0/24
(Sensitive ips and domain names replaced with xxx)
Any ideas on why packets are not being routed over the vpn?
Could this be a NAT thing?
Update: I get the following when trying to install strongswan on Barrier Breaker:
opkg install strongswan-full
Installing strongswan-full (5.0.4-1) to root...
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/strongswan-full_5.0.4-1_ar71xx.ipk.
Multiple packages (kmod-crypto-hash and kmod-crypto-hash) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (kmod-crypto-manager and kmod-crypto-manager) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (kmod-crypto-core and kmod-crypto-core) providing same name marked HOLD or PREFER. Using latest.
Collected errors:
* satisfy_dependencies_for: Cannot satisfy the following dependencies for strongswan-full:
* kernel (= 3.10.18-1-0de2f8afeb2eecb34eeca6f54b460523) *
* opkg_install_cmd: Cannot install package strongswan-full.