Hello all,
I am having a problem getting a site-to-site connection working using PSK and I was hoping you’d be able to offer some help. I am using strongSwan 5.2 (U5.2.0/K3.14.16) on openWRT Chaos Calmer (Linux OpenWrt 3.14.16 #7 SMP Tue Jan 26 18:17:28 EST 2016 armv7l GNU/Linux) running on a gateworks 5300 (http://www.gateworks.com/product/item/v … -processor) which has a Freescale i.MX6 SoC. I have two of the GW5300s each with this configuration.
I have them both set up using the example here: https://www.strongswan.org/uml/testresu … t2net-psk/. All of the ipsec configuration files have been copy and pasted from the example into the corresponding configuration file on each of the 5300s.
here is how i have the interfaces configured:
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd58:1732:4ca3::/48'
config interface 'LAN0'
option proto 'static'
option ifname 'eth0'
option ipaddr '192.168.0.1'
option netmask '255.255.0.0'
config interface 'LAN1'
option proto 'static'
option ifname 'eth1'
option ipaddr '10.1.0.1'
option netmask '255.0.0.0'
I am able to successfully start the tunnel and the connection completes successfully. Here are the details of the tunnel as printed by 'ipsec statusall'
root@OpenWrt:/# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.14.16, armv7l):
uptime: 8 minutes, since Jan 29 20:54:24 2016
malloc: sbrk 102400, mmap 0, used 87952, free 14448
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
192.168.0.1
10.1.0.1
Connections:
net-net: 192.168.0.1...192.168.0.2 IKEv2
net-net: local: [moon.strongswan.org] uses pre-shared key authentication
net-net: remote: [sun.strongswan.org] uses pre-shared key authentication
net-net: child: 10.1.0.0/16 === 10.2.0.0/16 TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 6 minutes ago, 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
net-net[1]: IKEv2 SPIs: 1344c48f06c482a6_i* 6b32dfe2942b78f9_r, pre-shared key reauthentication in 47 minutes
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: ccbb4a8b_i c4dc3108_o
net-net{1}: AES_CBC_128/HMAC_SHA1_96, 168 bytes_i (2 pkts, 368s ago), 420 bytes_o (5 pkts, 368s ago), rekeying in 8 minutes
net-net{1}: 10.1.0.0/16 === 10.2.0.0/16
Using the names from the example I posted above:
Alice (10.1.0.10) can ping Moon (10.1.0.1) & Sun (10.2.0.1) but not Bob (10.2.0.10)
Bob (10.2.0.10) can ping Sun (10.2.0.1) & Moon (10.1.0.1) but not Alice (10.1.0.10)
Since Alice (10.1.0.10) can ping Sun (10.2.0.1) but not Bob (10.2.0.10) I am assuming what is happening is that the eth1 interface on Sun (10.2.0.1) is not forwarding the packets from Alice (10.1.0.10) on to Bob (10.2.0.10). After googling the issue some I added the following lines to /etc/firewall.user
iptables -t nat -I POSTROUTING -s 10.1.0.0/16 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I PREROUTING -s 10.2.0.0/16 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -A input_rule -p esp -j ACCEPT
iptables -A input_rule -p udp --dport 500 -j ACCEPT
iptables -A input_rule -p udp --dport 4500 -j ACCEPT
but this does not fix the problem. so Alice can still not ping Bob... Here is the output of 'iptables -L'
root@OpenWrt:/# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.2.0.0/16 10.1.0.0/16 policy match dir in pol ipsec reqid 1 proto esp
ACCEPT all -- 10.1.0.0/16 10.2.0.0/16 policy match dir out pol ipsec reqid 1 proto esp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
which shows that the rules took....
when i type 'ip route list table 220'
root@OpenWrt:/# ip route list table 220
10.2.0.0/16 via 192.168.0.2 dev eth0 proto static src 10.1.0.1
it shows that 10.2.x.x will get routed to 10.1.0.1.... so I am really at a loss now as to why Alice and Bob can't ping each other and I am hoping someone here may know and can help.