2
2
I believe I've followed all the instructions, and my win 7 did get connected, but there's no Internet.
Background:
Server OS: ubuntu 12.04 on linode xen VPS
strongSwan Version: 4.6.4
configurations in /etc/ipsec.conf :
config setup
charonstart=yes
plutostart=yes
nat_traversal=yes
uniqueids=yes
conn ios
keyexchange=ikev1
authby=xauthpsk
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightsubnet=10.11.0.0/24
rightsourceip=10.11.0.0/24
pfs=no
auto=add
conn win7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%defaultroute
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=serverCert.pem
leftid="C=CH, O=strongSwan, CN=VPS ip"
right=%any
rightsourceip=10.11.1.0/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
added dns in /etc/strongswan.conf :
charon {
dns1 = 8.8.8.8
dns2 = 208.67.222.222
...
pluto {
dns1 = 8.8.8.8
dns2 = 208.67.222.222
...
added user in /etc/ipsec.secrets :
: PSK "mypskpass"
user1 : XAUTH "pass1"
: RSA serverKey.pem
user2 : EAP "pass2"
#include /var/lib/strongswan/ipsec.secrets.inc
added some new rules in /etc/iptables.firewall.rules
*filter
# Accept IPsec VPN connections
-A INPUT -p udp --dport 500 -j ACCEPT
-A INPUT -p udp --dport 4500 -j ACCEPT
-A FORWARD -s 10.11.0.0/24 -j ACCEPT
-A FORWARD -s 10.11.1.0/24 -j ACCEPT
COMMIT
*nat
# Allow IPsec VPN connections
-A POSTROUTING -s 10.11.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE
COMMIT
And activated iptables rules:
iptables-restore < /etc/iptables.firewall.rules
Then restarted ipsec:
ipsec restart
Till this point, my iOS devices can connect to it and everything works all right.
After that I generated certificates for both server and client side, then converted .pem into .p12 and imported it into win 7.
The good part is that my win 7 can now connect to the vps(, but there's no internet connection.
I really don't know which part went wrong, would anybody please help me out?
Thanks
Shane
Posted 2013-04-17T12:47:57.400
Reputation: 73
How is the routing setup after the VPN is established? – Hennes – 2013-04-17T13:09:33.713
@Hennes: What do you mean by routing setup? Win 7 did get assigned with 10.11.1.1 as expected, and also dns is correct, but I guess there could be some kind of NAT problem, just don't know how to correctly configure it. – Shane – 2013-04-17T13:26:10.707
I wondered if all your traffic now gets routed via the VPN to the other endpoint of the VPN tunnel. It that is the case then you need to check the IP forwarding rules on that endpoint, or enable split tunneling. – Hennes – 2013-04-17T13:32:42.100
@Hennes: Well when I'm testing win 7 there's no other client/devices are online, so I don't really get what you mean by "gets routed via the VPN to other endpoint of the VPN tunnel". And also I set the exact same iptables rules for iOS and win 7 devices, only authentication methods are different, just don't see why it's not working for win 7. – Shane – 2013-04-17T14:09:17.433
Is there any difference in the NAT situation between iOS and Windows 7 clients? Are the above all your iptables rules? What's the default policy of your iptables chains? – ecdsa – 2013-04-17T15:10:31.413
@ecdsa: Well, I don't think there's any difference in the NAT settings, and it's not all my iptables rules, I set it up to only allow HTTP/HTTPS/SSH connections. What confused me the most, is how come iOS devices work all right while win 7 get no interent... – Shane – 2013-04-17T15:33:15.333