OpenWrt Forum Archive

Topic: IPSEC: Outgoing Packets dropped by firewall?

The content of this topic has been archived on 20 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello everybody,

i've just set up the strongswan ipsec connection to our office.

The command ipsec -statusall sais that the connection is established, but i'm not able to ping our offices firewall.

Suprisingly my office can ping my openwrt router through this connection all the time and as soon as I stop the openwrt firewall by the command

/etc/init.d/firewall stop

i can reach the office as well, but not the internet anymore.
When I start the firewall again, it is the other way around again.

Please, does anybody know what to check or where to look? I've read the tutorials, but I've no idea what the issue could be.

Thank you in advance!

ND

I see it first time and my comment may be off top, but I think, you should check leftfirewall=yes directive.

Thank you for your answer,
indeed there was no statement with leftfirewall in my config, so i inserted it an rebooted the whole router.
Sadly id did not change the behaviour. Outgoing pings are still not possible..

Would it help to post some config files? Which ones?
Any other ideas?

Thanks and BR

ND

This is my connection from IPsec.conf:

conn xyzgmbh
  aggressive=yes
  fragmentation=yes
  keyexchange=ikev1
  reauth=yes
  rekey=yes
  forceencaps=no
  installpolicy=yes
  type=tunnel
  dpdaction=none
  left=xxx.xxx.de
  right=yyy.yyy.de
  leftid=xxx.xxx.de
  ikelifetime=3600s
  lifetime=28800s
  ike=3des-sha1-modp1024!
  leftauth=psk
  rightauth=psk
  rightid=yyy.yyy.de
  rightsubnet=192.168.10.0/24
  leftsubnet=192.168.40.0/24
  esp=aes256-sha1!
  leftfirewall=yes
  auto=start

Post the output of "iptables -vnL" and "iptables -t nat -vnL" when your ipsec tunnel is up - posting only your strongswan config, any answers you may receive will be guesses at best

Yes, and check ping both from client of your router and router itself.

As far as I understood, additional firewall settings should be applied. To this end special script was developed, you can find it on the page dedicated to firewall ipsec.

(Last edited by ulmwind on 13 Nov 2016, 10:54)

Hi,
these are the outputs of both mentioned commands. At the moment my openwrt (192.168.40.1 and whole network) can be pinged from the office(192.168.10.1) but not the other way around (even not from ssh shell directly from my router.

iptables -vnL:

root@OpenWrt:~# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 133K   10M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            ID:66773300
59875   16M input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
35739   14M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
 2450  103K syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02
16912 1250K zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
 7224 1561K zone_wan_input  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain FORWARD (policy ACCEPT 5 packets, 300 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0.2 *       192.168.10.0/24      192.168.40.0/24      policy match dir in pol ipsec reqid 2 proto 50
16564  994K ACCEPT     all  --  *      eth0.2  192.168.40.0/24      192.168.10.0/24      policy match dir out pol ipsec reqid 2 proto 50
  13M   12G forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
  13M   12G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
21072 1176K zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    5   300 zone_wan_forward  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 133K   10M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            ID:66773300
48471 4353K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
39657 3668K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
  117 36521 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
 8697  648K zone_wan_output  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination
 2593  111K REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with tcp-reset
 1115  221K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2450  103K RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
  148 39223 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
21072 1176K forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
21072 1176K zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* forwarding lan -> wan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
   31  2702 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
16912 1250K input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
16912 1250K zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  117 36521 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
  117 36521 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
16912 1250K ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
29738 1821K ACCEPT     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    5   300 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    5   300 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
 7224 1561K input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
 3363 1212K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:68 /* Allow-DHCP-Renew */
   12   528 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 icmptype 8 /* Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 policy match dir in pol ipsec proto 51 /* IPSEC AH */
    5   600 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* IPsec ESP */
  136 15793 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:500 /* IPsec ISAKMP */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:4500 /* IPsec NAT-T */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
 3708  332K zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
 8697  648K output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
 8697  648K zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3708  332K reject     all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300

iptables -t nat -vnL

Chain PREROUTING (policy ACCEPT 32606 packets, 2268K bytes)
 pkts bytes target     prot opt in     out     source               destination
32606 2268K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
28608 1815K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
 3998  453K zone_wan_prerouting  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain INPUT (policy ACCEPT 8068 packets, 707K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 74873 packets, 5290K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 66475 packets, 4661K bytes)
 pkts bytes target     prot opt in     out     source               destination
89680 6069K postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
  100 30677 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
23205 1409K zone_wan_postrouting  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
  100 30677 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
28608 1815K prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
23205 1409K postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
23205 1409K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3998  453K prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
root@OpenWrt:~#

ipsec statusall

root@OpenWrt:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.5.0, Linux 4.4.14, ppc):
  uptime: 3 seconds, since Nov 13 22:38:51 2016
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon test-vectors pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark farp stroke updown xauth-generic dhcp
Listening IP addresses:
  192.168.40.1
  fda6:26ab:xxxx::1
  109.90.xx.xxx
Connections:
  mustergmbh:  openwrtdns.de...officedns.de  IKEv1 Aggressive
  mustergmbh:   local:  [openwrtdns.de] uses pre-shared key authentication
  mustergmbh:   remote: [officedns.de] uses pre-shared key authentication
  mustergmbh:   child:  192.168.40.0/24 === 192.168.10.0/24 TUNNEL
Routed Connections:
Security Associations (1 up, 0 connecting):
  mustergmbh[1]: ESTABLISHED 3 seconds ago, yyy.yy.yy.yyy[openwrtdns.de]...zzz.zz.zzz.zzz[officedns.de]
  mustergmbh[1]: IKEv1 SPIs: b5657b1b4bd935e7_i* 6babc002456c5a05_r, pre-shared key reauthentication in 44 minutes
  mustergmbh[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  mustergmbh{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1da2ec7_i f81daafa_o
  mustergmbh{2}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
  mustergmbh{2}:   192.168.40.0/24 === 192.168.10.0/24

As far as I understood, additional firewall settings should be applied. To this end special script was developed, you can find it on the page dedicated to firewall ipsec.

Iv'e tried that script, but without luck.

Is it possible to see where my pings get blocked while firewall is active?

Can you guess from my commands' output whats wrong?
I wonder why there are so many 0.0.0.0 adresses in the iptables output. Is that the way it should be?

Thanks and BR
ND

(Last edited by nicodr on 15 Nov 2016, 23:54)

nicodr, before running script initial configuration of firewall should contain empty zone "vpn" (INPUT,FORWARD-REJECT, OUTPUT-ACCEPT).

Hello everybody,

i've now added a firewall-zone called 'vpn' without interface and settings (input: reject, forward:accept, output:accept).
Now my commands outputs show up the mentioned zones for vpn:

root@OpenWrt:~# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  128  9952 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            ID:66773300
  132 22100 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
   99 17778 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
    2    92 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02
   23  1938 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
   10  2384 zone_wan_input  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0.2 *       192.168.20.0/24      192.168.40.0/24      policy match dir in pol ipsec reqid 2 proto 50
   99  5940 ACCEPT     all  --  *      eth0.2  192.168.40.0/24      192.168.20.0/24      policy match dir out pol ipsec reqid 2 proto 50
    0     0 ACCEPT     all  --  eth0.2 *       192.168.10.0/24      192.168.40.0/24      policy match dir in pol ipsec reqid 1 proto 50
  101  6032 ACCEPT     all  --  *      eth0.2  192.168.40.0/24      192.168.10.0/24      policy match dir out pol ipsec reqid 1 proto 50
  603  197K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
  587  196K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
   16   900 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 zone_wan_forward  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  128  9952 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            ID:66773300
  118 31663 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
   94 29715 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
    1   328 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
   23  1620 zone_wan_output  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain adb-fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-fwd */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-fwd */ reject-with icmp-host-unreachable
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-fwd */

Chain adb-out (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-out */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-out */ reject-with icmp-host-unreachable
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-out */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 adb-fwd    all  --  *      *       0.0.0.0/0            198.18.0.1           /* adb-fwd */

Chain forwarding_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 adb-out    all  --  *      *       0.0.0.0/0            198.18.0.1           /* adb-out */

Chain output_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination
    5   831 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with tcp-reset
    1   135 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2    92 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    1   328 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
   16   900 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
   16   900 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* forwarding lan -> wan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   23  1938 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
   23  1938 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1   328 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
    1   328 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   23  1938 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_vpn_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_input (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 input_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
    0     0 zone_vpn_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_output (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
    0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
   39  2520 ACCEPT     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   10  2384 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    4  1418 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:68 /* Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 icmptype 8 /* Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 policy match dir in pol ipsec proto 51 /* IPSEC AH */
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* IPsec ESP */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:500 /* IPsec ISAKMP */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:4500 /* IPsec NAT-T */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
    6   966 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
   23  1620 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
   23  1620 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    6   966 reject     all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300
root@OpenWrt:~#

And

root@OpenWrt:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 48 packets, 3774 bytes)
 pkts bytes target     prot opt in     out     source               destination
   62  4679 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
   40  2436 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    8  1338 zone_wan_prerouting  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain INPUT (policy ACCEPT 17 packets, 1613 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 161 packets, 11628 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 124 packets, 8908 bytes)
 pkts bytes target     prot opt in     out     source               destination
  188 13028 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
    1   328 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
   64  4120 zone_wan_postrouting  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain adb-dns (1 references)
 pkts bytes target     prot opt in     out     source               destination
   61  3878 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-dns */ udp dpt:53 to:192.168.40.1:53
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-dns */ tcp dpt:53 to:192.168.40.1:53
  219 22973 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-dns */

Chain adb-nat (1 references)
 pkts bytes target     prot opt in     out     source               destination
   24  1248 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-nat */ tcp dpt:80 to:192.168.40.1:65534
    4   208 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-nat */ tcp dpt:443 to:192.168.40.1:65535
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-nat */

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
  280 26851 adb-dns    all  --  br-lan+ *       0.0.0.0/0            0.0.0.0/0            /* adb-dns */
   28  1456 adb-nat    all  --  *      *       0.0.0.0/0            198.18.0.1           /* adb-nat */

Chain prerouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1   328 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   40  2436 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */

Chain zone_vpn_postrouting (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 postrouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */

Chain zone_vpn_prerouting (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 prerouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   64  4120 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
   64  4120 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    8  1338 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
root@OpenWrt:~#

Again, no ping possible, tunnel is established.

when I now run the ipsec firewall script the output of iptables is:

root@OpenWrt:~# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  415 48864 zone_vpn_input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  405 41424 zone_vpn_gateway  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  461 37312 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            ID:66773300
14749   21M input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
14485   21M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
    4   192 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02
  247 17110 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
   17  4377 zone_wan_input  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2954 1542K zone_vpn_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0.2 *       192.168.20.0/24      192.168.40.0/24      policy match dir in pol ipsec reqid 2 proto 50
   72  4320 ACCEPT     all  --  *      eth0.2  192.168.40.0/24      192.168.20.0/24      policy match dir out pol ipsec reqid 2 proto 50
    0     0 ACCEPT     all  --  eth0.2 *       192.168.20.0/24      192.168.40.0/24      policy match dir in pol ipsec reqid 2 proto 50
    0     0 ACCEPT     all  --  *      eth0.2  192.168.40.0/24      192.168.20.0/24      policy match dir out pol ipsec reqid 2 proto 50
    0     0 ACCEPT     all  --  eth0.2 *       192.168.10.0/24      192.168.40.0/24      policy match dir in pol ipsec reqid 1 proto 50
   72  4320 ACCEPT     all  --  *      eth0.2  192.168.40.0/24      192.168.10.0/24      policy match dir out pol ipsec reqid 1 proto 50
11895 6312K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
11593 6295K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
  302 16788 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 zone_wan_forward  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  461 37312 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            ID:66773300
 6725  427K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
 6531  413K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
    3   984 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
  191 12749 zone_wan_output  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain adb-fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-fwd */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-fwd */ reject-with icmp-host-unreachable
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-fwd */

Chain adb-out (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-out */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-out */ reject-with icmp-host-unreachable
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-out */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 adb-fwd    all  --  *      *       0.0.0.0/0            198.18.0.1           /* adb-fwd */

Chain forwarding_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 adb-out    all  --  *      *       0.0.0.0/0            198.18.0.1           /* adb-out */

Chain output_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination
    7   467 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
    4   192 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    3   984 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
   67  3484 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
   67  3484 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* forwarding lan -> wan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  247 17110 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
  247 17110 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    3   984 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
    3   984 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  247 17110 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_vpn_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2954 1542K forwarding_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
 2954 1542K zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_gateway (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_vpn_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  415 48864 input_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
   24  8124 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
  391 40740 zone_vpn_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_output (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
    0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
  493 29537 ACCEPT     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   17  4377 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    9  3217 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:68 /* Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 icmptype 8 /* Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 policy match dir in pol ipsec proto 51 /* IPSEC AH */
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* IPsec ESP */
    1   693 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:500 /* IPsec ISAKMP */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:4500 /* IPsec NAT-T */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
    7   467 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  191 12749 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
  191 12749 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    7   467 reject     all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300
root@OpenWrt:~#

and

root@OpenWrt:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 239 packets, 13358 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1140 75175 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
  239 13358 zone_vpn_prerouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  515 36716 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
   12  1668 zone_wan_prerouting  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain INPUT (policy ACCEPT 573 packets, 34649 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 246 packets, 17612 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 168 packets, 11972 bytes)
 pkts bytes target     prot opt in     out     source               destination
  888 55752 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
    3   984 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
  597 34860 zone_wan_postrouting  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain adb-dns (1 references)
 pkts bytes target     prot opt in     out     source               destination
  399 25663 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-dns */ udp dpt:53 to:192.168.40.1:53
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-dns */ tcp dpt:53 to:192.168.40.1:53
  696 45828 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-dns */

Chain adb-nat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   104 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-nat */ tcp dpt:80 to:192.168.40.1:65534
  212 11024 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-nat */ tcp dpt:443 to:192.168.40.1:65535
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* adb-nat */

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1095 71491 adb-dns    all  --  br-lan+ *       0.0.0.0/0            0.0.0.0/0            /* adb-dns */
  214 11128 adb-nat    all  --  *      *       0.0.0.0/0            198.18.0.1           /* adb-nat */

Chain prerouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    3   984 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
  515 36716 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */

Chain zone_vpn_postrouting (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 postrouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */

Chain zone_vpn_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
  239 13358 prerouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
  597 34860 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
  597 34860 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   12  1668 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
root@OpenWrt:~#

again, no ping through tunnel is possible.

I've stored the firewall script at /etc/firewall.ipsec which by the way might have some broken commands since it outputs

root@OpenWrt:~# /etc/firewall.ipsec
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn_nat':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables -F zone_lan_forward
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables -F zone_wan_forward
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: Chain already exists.
iptables: Chain already exists.
root@OpenWrt:~#

Do you see any clue where the issue could be?

Thanks an BR

ND

Ok, if there are errors in script, we should understand, why.
Please, try to execute script as follows and give output:

bash -x /etc/firewall.ipsec

(Last edited by ulmwind on 14 Nov 2016, 23:45)

Hello, Thank you for your answer.
Here are the commands' outputs:

root@OpenWrt:~# /etc/firewall.ipsec
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn_nat':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: Chain already exists.
iptables: Chain already exists.
root@OpenWrt:~#
root@OpenWrt:~# bash -x /etc/firewall.ipsec
+ . /lib/functions.sh
++ N='
'
++ _C=0
++ NO_EXPORT=1
++ LOAD_STATE=1
++ LIST_SEP=' '
++ reset_cb
++ '[' -z '' -a -f /lib/config/uci.sh ']'
++ . /lib/config/uci.sh
+++ CONFIG_APPEND=
+ zone=vpn
+ config_load ipsec
+ '[' -n '' ']'
+ uci_load ipsec
+ local PACKAGE=ipsec
+ local DATA
+ local RET
+ local VAR
+ _C=0
+ '[' -z '' ']'
+ export -n CONFIG_LIST_STATE=
+ CONFIG_LIST_STATE=
+ export -n CONFIG_SECTIONS=
+ CONFIG_SECTIONS=
+ export -n CONFIG_NUM_SECTIONS=0
+ CONFIG_NUM_SECTIONS=0
+ export -n CONFIG_SECTION=
+ CONFIG_SECTION=
++ /sbin/uci -P /var/state -S -n export ipsec
+ DATA='package ipsec

config ipsec '\''cfg026e19'\''
        option zone '\''vpn'\''

config remote '\''mustergmbh'\''
        option enabled '\''1'\''
        option gateway '\''remote.officesite.de'\''
        option authentication_method '\''psk'\''
        option pre_shared_key '\''secretkey'\''
        list p1_proposal '\''pre_g2_aes_sha1'\''
        list sainfo '\''muster_lan'\''

config p1_proposal '\''pre_g2_aes_sha1'\''
        option encryption_algorithm '\''3des'\''
        option hash_algorithm '\''sha1'\''
        option dh_group '\''modp1024'\''

config tunnel '\''muster_lan'\''
        option local_subnet '\''192.168.40.0/24'\''
        option remote_subnet '\''192.168.10.0/24'\''
        option p2_proposal '\''g2_aes_sha1'\''

config p2_proposal '\''g2_aes_sha1'\''
        option encryption_algorithm '\''aes256'\''
        option authentication_algorithm '\''sha1'\'''
+ RET=0
+ '[' 0 '!=' 0 -o -z 'package ipsec

config ipsec '\''cfg026e19'\''
        option zone '\''vpn'\''

config remote '\''mustergmbh'\''
        option enabled '\''1'\''
        option gateway '\''remote.officesite.de'\''
        option authentication_method '\''psk'\''
        option pre_shared_key '\''secretkey'\''
        list p1_proposal '\''pre_g2_aes_sha1'\''
        list sainfo '\''muster_lan'\''

config p1_proposal '\''pre_g2_aes_sha1'\''
        option encryption_algorithm '\''3des'\''
        option hash_algorithm '\''sha1'\''
        option dh_group '\''modp1024'\''

config tunnel '\''muster_lan'\''
        option local_subnet '\''192.168.40.0/24'\''
        option remote_subnet '\''192.168.10.0/24'\''
        option p2_proposal '\''g2_aes_sha1'\''

config p2_proposal '\''g2_aes_sha1'\''
        option encryption_algorithm '\''aes256'\''
        option authentication_algorithm '\''sha1'\''' ']'
+ eval 'package ipsec

config ipsec '\''cfg026e19'\''
        option zone '\''vpn'\''

config remote '\''mustergmbh'\''
        option enabled '\''1'\''
        option gateway '\''remote.officesite.de'\''
        option authentication_method '\''psk'\''
        option pre_shared_key '\''secretkey'\''
        list p1_proposal '\''pre_g2_aes_sha1'\''
        list sainfo '\''muster_lan'\''

config p1_proposal '\''pre_g2_aes_sha1'\''
        option encryption_algorithm '\''3des'\''
        option hash_algorithm '\''sha1'\''
        option dh_group '\''modp1024'\''

config tunnel '\''muster_lan'\''
        option local_subnet '\''192.168.40.0/24'\''
        option remote_subnet '\''192.168.10.0/24'\''
        option p2_proposal '\''g2_aes_sha1'\''

config p2_proposal '\''g2_aes_sha1'\''
        option encryption_algorithm '\''aes256'\''
        option authentication_algorithm '\''sha1'\'''
++ package ipsec
++ return 0
++ config ipsec cfg026e19
++ local cfgtype=ipsec
++ local name=cfg026e19
++ export -n CONFIG_NUM_SECTIONS=1
++ CONFIG_NUM_SECTIONS=1
++ name=cfg026e19
++ append CONFIG_SECTIONS cfg026e19
++ local var=CONFIG_SECTIONS
++ local value=cfg026e19
++ local 'sep= '
++ eval 'export -n -- "CONFIG_SECTIONS=${CONFIG_SECTIONS:+${CONFIG_SECTIONS}${value:+$sep}}$value"'
+++ export -n -- CONFIG_SECTIONS=cfg026e19
+++ CONFIG_SECTIONS=cfg026e19
++ '[' -n '' ']'
++ config_cb ipsec cfg026e19
++ return 0
++ export -n CONFIG_SECTION=cfg026e19
++ CONFIG_SECTION=cfg026e19
++ export -n CONFIG_cfg026e19_TYPE=ipsec
++ CONFIG_cfg026e19_TYPE=ipsec
++ option zone vpn
++ local varname=zone
++ shift
++ local value=vpn
++ export -n CONFIG_cfg026e19_zone=vpn
++ CONFIG_cfg026e19_zone=vpn
++ '[' -n '' ']'
++ option_cb zone vpn
++ return 0
++ config remote mustergmbh
++ local cfgtype=remote
++ local name=mustergmbh
++ export -n CONFIG_NUM_SECTIONS=2
++ CONFIG_NUM_SECTIONS=2
++ name=mustergmbh
++ append CONFIG_SECTIONS mustergmbh
++ local var=CONFIG_SECTIONS
++ local value=mustergmbh
++ local 'sep= '
++ eval 'export -n -- "CONFIG_SECTIONS=${CONFIG_SECTIONS:+${CONFIG_SECTIONS}${value:+$sep}}$value"'
+++ export -n -- 'CONFIG_SECTIONS=cfg026e19 mustergmbh'
+++ CONFIG_SECTIONS='cfg026e19 mustergmbh'
++ '[' -n '' ']'
++ config_cb remote mustergmbh
++ return 0
++ export -n CONFIG_SECTION=mustergmbh
++ CONFIG_SECTION=mustergmbh
++ export -n CONFIG_mustergmbh_TYPE=remote
++ CONFIG_mustergmbh_TYPE=remote
++ option enabled 1
++ local varname=enabled
++ shift
++ local value=1
++ export -n CONFIG_mustergmbh_enabled=1
++ CONFIG_mustergmbh_enabled=1
++ '[' -n '' ']'
++ option_cb enabled 1
++ return 0
++ option gateway remote.officesite.de
++ local varname=gateway
++ shift
++ local value=remote.officesite.de
++ export -n CONFIG_mustergmbh_gateway=remote.officesite.de
++ CONFIG_mustergmbh_gateway=remote.officesite.de
++ '[' -n '' ']'
++ option_cb gateway remote.officesite.de
++ return 0
++ option authentication_method psk
++ local varname=authentication_method
++ shift
++ local value=psk
++ export -n CONFIG_mustergmbh_authentication_method=psk
++ CONFIG_mustergmbh_authentication_method=psk
++ '[' -n '' ']'
++ option_cb authentication_method psk
++ return 0
++ option pre_shared_key 'secretkey'
++ local varname=pre_shared_key
++ shift
++ local 'value=secretkey'
++ export -n 'CONFIG_mustergmbh_pre_shared_key=secretkey'
++ CONFIG_mustergmbh_pre_shared_key='secretkey'
++ '[' -n '' ']'
++ option_cb pre_shared_key 'secretkey'
++ return 0
++ list p1_proposal pre_g2_aes_sha1
++ local varname=p1_proposal
++ shift
++ local value=pre_g2_aes_sha1
++ local len
++ config_get len mustergmbh p1_proposal_LENGTH 0
++ case "$3" in
++ eval export -n -- 'len=${CONFIG_mustergmbh_p1_proposal_LENGTH:-${4}}'
+++ export -n -- len=0
+++ len=0
++ '[' 0 = 0 ']'
++ append CONFIG_LIST_STATE mustergmbh_p1_proposal
++ local var=CONFIG_LIST_STATE
++ local value=mustergmbh_p1_proposal
++ local 'sep= '
++ eval 'export -n -- "CONFIG_LIST_STATE=${CONFIG_LIST_STATE:+${CONFIG_LIST_STATE}${value:+$sep}}$value"'
+++ export -n -- CONFIG_LIST_STATE=mustergmbh_p1_proposal
+++ CONFIG_LIST_STATE=mustergmbh_p1_proposal
++ len=1
++ config_set mustergmbh p1_proposal_ITEM1 pre_g2_aes_sha1
++ local section=mustergmbh
++ local option=p1_proposal_ITEM1
++ local value=pre_g2_aes_sha1
++ local old_section=mustergmbh
++ CONFIG_SECTION=mustergmbh
++ option p1_proposal_ITEM1 pre_g2_aes_sha1
++ local varname=p1_proposal_ITEM1
++ shift
++ local value=pre_g2_aes_sha1
++ export -n CONFIG_mustergmbh_p1_proposal_ITEM1=pre_g2_aes_sha1
++ CONFIG_mustergmbh_p1_proposal_ITEM1=pre_g2_aes_sha1
++ '[' -n '' ']'
++ option_cb p1_proposal_ITEM1 pre_g2_aes_sha1
++ return 0
++ CONFIG_SECTION=mustergmbh
++ config_set mustergmbh p1_proposal_LENGTH 1
++ local section=mustergmbh
++ local option=p1_proposal_LENGTH
++ local value=1
++ local old_section=mustergmbh
++ CONFIG_SECTION=mustergmbh
++ option p1_proposal_LENGTH 1
++ local varname=p1_proposal_LENGTH
++ shift
++ local value=1
++ export -n CONFIG_mustergmbh_p1_proposal_LENGTH=1
++ CONFIG_mustergmbh_p1_proposal_LENGTH=1
++ '[' -n '' ']'
++ option_cb p1_proposal_LENGTH 1
++ return 0
++ CONFIG_SECTION=mustergmbh
++ append CONFIG_mustergmbh_p1_proposal pre_g2_aes_sha1 ' '
++ local var=CONFIG_mustergmbh_p1_proposal
++ local value=pre_g2_aes_sha1
++ local 'sep= '
++ eval 'export -n -- "CONFIG_mustergmbh_p1_proposal=${CONFIG_mustergmbh_p1_proposal:+${CONFIG_mustergmbh_p1_proposal}${value:+$sep}}$value"'
+++ export -n -- CONFIG_mustergmbh_p1_proposal=pre_g2_aes_sha1
+++ CONFIG_mustergmbh_p1_proposal=pre_g2_aes_sha1
++ list_cb p1_proposal pre_g2_aes_sha1
++ return 0
++ list sainfo muster_lan
++ local varname=sainfo
++ shift
++ local value=muster_lan
++ local len
++ config_get len mustergmbh sainfo_LENGTH 0
++ case "$3" in
++ eval export -n -- 'len=${CONFIG_mustergmbh_sainfo_LENGTH:-${4}}'
+++ export -n -- len=0
+++ len=0
++ '[' 0 = 0 ']'
++ append CONFIG_LIST_STATE mustergmbh_sainfo
++ local var=CONFIG_LIST_STATE
++ local value=mustergmbh_sainfo
++ local 'sep= '
++ eval 'export -n -- "CONFIG_LIST_STATE=${CONFIG_LIST_STATE:+${CONFIG_LIST_STATE}${value:+$sep}}$value"'
+++ export -n -- 'CONFIG_LIST_STATE=mustergmbh_p1_proposal mustergmbh_sainfo'
+++ CONFIG_LIST_STATE='mustergmbh_p1_proposal mustergmbh_sainfo'
++ len=1
++ config_set mustergmbh sainfo_ITEM1 muster_lan
++ local section=mustergmbh
++ local option=sainfo_ITEM1
++ local value=muster_lan
++ local old_section=mustergmbh
++ CONFIG_SECTION=mustergmbh
++ option sainfo_ITEM1 muster_lan
++ local varname=sainfo_ITEM1
++ shift
++ local value=muster_lan
++ export -n CONFIG_mustergmbh_sainfo_ITEM1=muster_lan
++ CONFIG_mustergmbh_sainfo_ITEM1=muster_lan
++ '[' -n '' ']'
++ option_cb sainfo_ITEM1 muster_lan
++ return 0
++ CONFIG_SECTION=mustergmbh
++ config_set mustergmbh sainfo_LENGTH 1
++ local section=mustergmbh
++ local option=sainfo_LENGTH
++ local value=1
++ local old_section=mustergmbh
++ CONFIG_SECTION=mustergmbh
++ option sainfo_LENGTH 1
++ local varname=sainfo_LENGTH
++ shift
++ local value=1
++ export -n CONFIG_mustergmbh_sainfo_LENGTH=1
++ CONFIG_mustergmbh_sainfo_LENGTH=1
++ '[' -n '' ']'
++ option_cb sainfo_LENGTH 1
++ return 0
++ CONFIG_SECTION=mustergmbh
++ append CONFIG_mustergmbh_sainfo muster_lan ' '
++ local var=CONFIG_mustergmbh_sainfo
++ local value=muster_lan
++ local 'sep= '
++ eval 'export -n -- "CONFIG_mustergmbh_sainfo=${CONFIG_mustergmbh_sainfo:+${CONFIG_mustergmbh_sainfo}${value:+$sep}}$value"'
+++ export -n -- CONFIG_mustergmbh_sainfo=muster_lan
+++ CONFIG_mustergmbh_sainfo=muster_lan
++ list_cb sainfo muster_lan
++ return 0
++ config p1_proposal pre_g2_aes_sha1
++ local cfgtype=p1_proposal
++ local name=pre_g2_aes_sha1
++ export -n CONFIG_NUM_SECTIONS=3
++ CONFIG_NUM_SECTIONS=3
++ name=pre_g2_aes_sha1
++ append CONFIG_SECTIONS pre_g2_aes_sha1
++ local var=CONFIG_SECTIONS
++ local value=pre_g2_aes_sha1
++ local 'sep= '
++ eval 'export -n -- "CONFIG_SECTIONS=${CONFIG_SECTIONS:+${CONFIG_SECTIONS}${value:+$sep}}$value"'
+++ export -n -- 'CONFIG_SECTIONS=cfg026e19 mustergmbh pre_g2_aes_sha1'
+++ CONFIG_SECTIONS='cfg026e19 mustergmbh pre_g2_aes_sha1'
++ '[' -n '' ']'
++ config_cb p1_proposal pre_g2_aes_sha1
++ return 0
++ export -n CONFIG_SECTION=pre_g2_aes_sha1
++ CONFIG_SECTION=pre_g2_aes_sha1
++ export -n CONFIG_pre_g2_aes_sha1_TYPE=p1_proposal
++ CONFIG_pre_g2_aes_sha1_TYPE=p1_proposal
++ option encryption_algorithm 3des
++ local varname=encryption_algorithm
++ shift
++ local value=3des
++ export -n CONFIG_pre_g2_aes_sha1_encryption_algorithm=3des
++ CONFIG_pre_g2_aes_sha1_encryption_algorithm=3des
++ '[' -n '' ']'
++ option_cb encryption_algorithm 3des
++ return 0
++ option hash_algorithm sha1
++ local varname=hash_algorithm
++ shift
++ local value=sha1
++ export -n CONFIG_pre_g2_aes_sha1_hash_algorithm=sha1
++ CONFIG_pre_g2_aes_sha1_hash_algorithm=sha1
++ '[' -n '' ']'
++ option_cb hash_algorithm sha1
++ return 0
++ option dh_group modp1024
++ local varname=dh_group
++ shift
++ local value=modp1024
++ export -n CONFIG_pre_g2_aes_sha1_dh_group=modp1024
++ CONFIG_pre_g2_aes_sha1_dh_group=modp1024
++ '[' -n '' ']'
++ option_cb dh_group modp1024
++ return 0
++ config tunnel muster_lan
++ local cfgtype=tunnel
++ local name=muster_lan
++ export -n CONFIG_NUM_SECTIONS=4
++ CONFIG_NUM_SECTIONS=4
++ name=muster_lan
++ append CONFIG_SECTIONS muster_lan
++ local var=CONFIG_SECTIONS
++ local value=muster_lan
++ local 'sep= '
++ eval 'export -n -- "CONFIG_SECTIONS=${CONFIG_SECTIONS:+${CONFIG_SECTIONS}${value:+$sep}}$value"'
+++ export -n -- 'CONFIG_SECTIONS=cfg026e19 mustergmbh pre_g2_aes_sha1 muster_lan'
+++ CONFIG_SECTIONS='cfg026e19 mustergmbh pre_g2_aes_sha1 muster_lan'
++ '[' -n '' ']'
++ config_cb tunnel muster_lan
++ return 0
++ export -n CONFIG_SECTION=muster_lan
++ CONFIG_SECTION=muster_lan
++ export -n CONFIG_muster_lan_TYPE=tunnel
++ CONFIG_muster_lan_TYPE=tunnel
++ option local_subnet 192.168.40.0/24
++ local varname=local_subnet
++ shift
++ local value=192.168.40.0/24
++ export -n CONFIG_muster_lan_local_subnet=192.168.40.0/24
++ CONFIG_muster_lan_local_subnet=192.168.40.0/24
++ '[' -n '' ']'
++ option_cb local_subnet 192.168.40.0/24
++ return 0
++ option remote_subnet 192.168.10.0/24
++ local varname=remote_subnet
++ shift
++ local value=192.168.10.0/24
++ export -n CONFIG_muster_lan_remote_subnet=192.168.10.0/24
++ CONFIG_muster_lan_remote_subnet=192.168.10.0/24
++ '[' -n '' ']'
++ option_cb remote_subnet 192.168.10.0/24
++ return 0
++ option p2_proposal g2_aes_sha1
++ local varname=p2_proposal
++ shift
++ local value=g2_aes_sha1
++ export -n CONFIG_muster_lan_p2_proposal=g2_aes_sha1
++ CONFIG_muster_lan_p2_proposal=g2_aes_sha1
++ '[' -n '' ']'
++ option_cb p2_proposal g2_aes_sha1
++ return 0
++ config p2_proposal g2_aes_sha1
++ local cfgtype=p2_proposal
++ local name=g2_aes_sha1
++ export -n CONFIG_NUM_SECTIONS=5
++ CONFIG_NUM_SECTIONS=5
++ name=g2_aes_sha1
++ append CONFIG_SECTIONS g2_aes_sha1
++ local var=CONFIG_SECTIONS
++ local value=g2_aes_sha1
++ local 'sep= '
++ eval 'export -n -- "CONFIG_SECTIONS=${CONFIG_SECTIONS:+${CONFIG_SECTIONS}${value:+$sep}}$value"'
+++ export -n -- 'CONFIG_SECTIONS=cfg026e19 mustergmbh pre_g2_aes_sha1 muster_lan g2_aes_sha1'
+++ CONFIG_SECTIONS='cfg026e19 mustergmbh pre_g2_aes_sha1 muster_lan g2_aes_sha1'
++ '[' -n '' ']'
++ config_cb p2_proposal g2_aes_sha1
++ return 0
++ export -n CONFIG_SECTION=g2_aes_sha1
++ CONFIG_SECTION=g2_aes_sha1
++ export -n CONFIG_g2_aes_sha1_TYPE=p2_proposal
++ CONFIG_g2_aes_sha1_TYPE=p2_proposal
++ option encryption_algorithm aes256
++ local varname=encryption_algorithm
++ shift
++ local value=aes256
++ export -n CONFIG_g2_aes_sha1_encryption_algorithm=aes256
++ CONFIG_g2_aes_sha1_encryption_algorithm=aes256
++ '[' -n '' ']'
++ option_cb encryption_algorithm aes256
++ return 0
++ option authentication_algorithm sha1
++ local varname=authentication_algorithm
++ shift
++ local value=sha1
++ export -n CONFIG_g2_aes_sha1_authentication_algorithm=sha1
++ CONFIG_g2_aes_sha1_authentication_algorithm=sha1
++ '[' -n '' ']'
++ option_cb authentication_algorithm sha1
++ return 0
+ unset DATA
+ config_cb
+ return 0
+ return 0
+ config_foreach GetZone ipsec
+ local ___function=GetZone
+ '[' 2 -ge 1 ']'
+ shift
+ local ___type=ipsec
+ '[' 1 -ge 1 ']'
+ shift
+ local section cfgtype
+ '[' -z 'cfg026e19 mustergmbh pre_g2_aes_sha1 muster_lan g2_aes_sha1' ']'
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype cfg026e19 TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_cfg026e19_TYPE:-${4}}'
++ export -n -- cfgtype=ipsec
++ cfgtype=ipsec
+ '[' -n ipsec -a xipsec '!=' xipsec ']'
+ eval 'GetZone "$section" "$@"'
++ GetZone cfg026e19
++ config_get zone cfg026e19 zone vpn
++ case "$3" in
++ eval export -n -- 'zone=${CONFIG_cfg026e19_zone:-${4}}'
+++ export -n -- zone=vpn
+++ zone=vpn
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype mustergmbh TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_mustergmbh_TYPE:-${4}}'
++ export -n -- cfgtype=remote
++ cfgtype=remote
+ '[' -n ipsec -a xremote '!=' xipsec ']'
+ continue
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype pre_g2_aes_sha1 TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_pre_g2_aes_sha1_TYPE:-${4}}'
++ export -n -- cfgtype=p1_proposal
++ cfgtype=p1_proposal
+ '[' -n ipsec -a xp1_proposal '!=' xipsec ']'
+ continue
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype muster_lan TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_muster_lan_TYPE:-${4}}'
++ export -n -- cfgtype=tunnel
++ cfgtype=tunnel
+ '[' -n ipsec -a xtunnel '!=' xipsec ']'
+ continue
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype g2_aes_sha1 TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_g2_aes_sha1_TYPE:-${4}}'
++ export -n -- cfgtype=p2_proposal
++ cfgtype=p2_proposal
+ '[' -n ipsec -a xp2_proposal '!=' xipsec ']'
+ continue
+ '[' -x /usr/sbin/ip6tables ']'
+ has_ip6tables=1
+ iptables -F zone_vpn_ACCEPT
iptables: No chain/target/match by that name.
+ '[' 1 -eq 1 ']'
+ ip6tables -F zone_vpn_ACCEPT
ip6tables: No chain/target/match by that name.
+ iptables -N zone_vpn_gateway
+ iptables -I INPUT -j zone_vpn_gateway
+ '[' 1 -eq 1 ']'
+ ip6tables -N zone_vpn_gateway
+ ip6tables -I INPUT -j zone_vpn_gateway
+ config_foreach GetInterface ipsec
+ local ___function=GetInterface
+ '[' 2 -ge 1 ']'
+ shift
+ local ___type=ipsec
+ '[' 1 -ge 1 ']'
+ shift
+ local section cfgtype
+ '[' -z 'cfg026e19 mustergmbh pre_g2_aes_sha1 muster_lan g2_aes_sha1' ']'
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype cfg026e19 TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_cfg026e19_TYPE:-${4}}'
++ export -n -- cfgtype=ipsec
++ cfgtype=ipsec
+ '[' -n ipsec -a xipsec '!=' xipsec ']'
+ eval 'GetInterface "$section" "$@"'
++ GetInterface cfg026e19
++ config_list_foreach cfg026e19 listen GetDevice
++ '[' 3 -ge 3 ']'
++ local section=cfg026e19
++ shift
++ local option=listen
++ shift
++ local function=GetDevice
++ shift
++ local val
++ local len
++ local c=1
++ config_get len cfg026e19 listen_LENGTH
++ case "$3" in
++ eval export -n -- 'len=${CONFIG_cfg026e19_listen_LENGTH:-${4}}'
+++ export -n -- len=
+++ len=
++ '[' -z '' ']'
++ return 0
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype mustergmbh TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_mustergmbh_TYPE:-${4}}'
++ export -n -- cfgtype=remote
++ cfgtype=remote
+ '[' -n ipsec -a xremote '!=' xipsec ']'
+ continue
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype pre_g2_aes_sha1 TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_pre_g2_aes_sha1_TYPE:-${4}}'
++ export -n -- cfgtype=p1_proposal
++ cfgtype=p1_proposal
+ '[' -n ipsec -a xp1_proposal '!=' xipsec ']'
+ continue
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype muster_lan TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_muster_lan_TYPE:-${4}}'
++ export -n -- cfgtype=tunnel
++ cfgtype=tunnel
+ '[' -n ipsec -a xtunnel '!=' xipsec ']'
+ continue
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype g2_aes_sha1 TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_g2_aes_sha1_TYPE:-${4}}'
++ export -n -- cfgtype=p2_proposal
++ cfgtype=p2_proposal
+ '[' -n ipsec -a xp2_proposal '!=' xipsec ']'
+ continue
+ iptables -t nat -F zone_vpn_nat
iptables: No chain/target/match by that name.
+ iptables -t nat -I POSTROUTING 2 -j zone_vpn_nat
iptables v1.4.21: Couldn't load target `zone_vpn_nat':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
+ iptables -t nat -I PREROUTING 2 -j zone_vpn_prerouting
++ ++ grep -v awk vpn'/.N.*zone.*_forward/{print $2}'
++
iptables -S
+ ForwardZones='zone_lan_forward
zone_wan_forward'
+ for ForwardZone in '$ForwardZones'
+ echo 'iptables -F zone_lan_forward'
+ + + awk '{ print "iptables " $0}'
grep -v + '^-N'
grep zone_vpn_ACCEPT
iptables -S zone_lan_forward
+ echo 'iptables -A zone_lan_forward -j zone_vpn_REJECT'
+ + + + awk '{ print "iptables " $0}'
grep -v '^-N'
grep -v zone_vpn_ACCEPT
iptables -S zone_lan_forward
+ chmod +x /tmp/fwrebuild
+ /tmp/fwrebuild
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
+ rm /tmp/fwrebuild
+ for ForwardZone in '$ForwardZones'
+ echo 'iptables -F zone_wan_forward'
+ + + + grep zone_vpn_ACCEPT
iptables awk -S zone_wan_forward'{ print "iptables " $0}'

grep -v '^-N'
+ echo 'iptables -A zone_wan_forward -j zone_vpn_REJECT'
+ + + + awk '{ print "iptables " $0}'
grep -v '^-N'grep
-v zone_vpn_ACCEPT
iptables -S zone_wan_forward
+ chmod +x /tmp/fwrebuild
+ /tmp/fwrebuild
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
+ rm /tmp/fwrebuild
+ iptables -N zone_vpn_input
iptables: Chain already exists.
+ iptables -I INPUT -j zone_vpn_input
+ iptables -N zone_vpn_forward
iptables: Chain already exists.
+ iptables -I FORWARD -j zone_vpn_forward
+ config_foreach GetRemote remote
+ local ___function=GetRemote
+ '[' 2 -ge 1 ']'
+ shift
+ local ___type=remote
+ '[' 1 -ge 1 ']'
+ shift
+ local section cfgtype
+ '[' -z 'cfg026e19 mustergmbh pre_g2_aes_sha1 muster_lan g2_aes_sha1' ']'
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype cfg026e19 TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_cfg026e19_TYPE:-${4}}'
++ export -n -- cfgtype=ipsec
++ cfgtype=ipsec
+ '[' -n remote -a xipsec '!=' xremote ']'
+ continue
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype mustergmbh TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_mustergmbh_TYPE:-${4}}'
++ export -n -- cfgtype=remote
++ cfgtype=remote
+ '[' -n remote -a xremote '!=' xremote ']'
+ eval 'GetRemote "$section" "$@"'
++ GetRemote mustergmbh
++ local enabled
++ local gateway
++ config_get_bool enabled mustergmbh enabled 0
++ local _tmp
++ config_get _tmp mustergmbh enabled 0
++ case "$3" in
++ eval export -n -- '_tmp=${CONFIG_mustergmbh_enabled:-${4}}'
+++ export -n -- _tmp=1
+++ _tmp=1
++ case "$_tmp" in
++ _tmp=1
++ export -n enabled=1
++ enabled=1
++ config_get gateway mustergmbh gateway
++ case "$3" in
++ eval export -n -- 'gateway=${CONFIG_mustergmbh_gateway:-${4}}'
+++ export -n -- gateway=remote.officesite.de
+++ gateway=remote.officesite.de
++ [[ 1 == \0 ]]
++ config_list_foreach mustergmbh tunnel GetTunnel
++ '[' 3 -ge 3 ']'
++ local section=mustergmbh
++ shift
++ local option=tunnel
++ shift
++ local function=GetTunnel
++ shift
++ local val
++ local len
++ local c=1
++ config_get len mustergmbh tunnel_LENGTH
++ case "$3" in
++ eval export -n -- 'len=${CONFIG_mustergmbh_tunnel_LENGTH:-${4}}'
+++ export -n -- len=
+++ len=
++ '[' -z '' ']'
++ return 0
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype pre_g2_aes_sha1 TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_pre_g2_aes_sha1_TYPE:-${4}}'
++ export -n -- cfgtype=p1_proposal
++ cfgtype=p1_proposal
+ '[' -n remote -a xp1_proposal '!=' xremote ']'
+ continue
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype muster_lan TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_muster_lan_TYPE:-${4}}'
++ export -n -- cfgtype=tunnel
++ cfgtype=tunnel
+ '[' -n remote -a xtunnel '!=' xremote ']'
+ continue
+ for section in '${CONFIG_SECTIONS}'
+ config_get cfgtype g2_aes_sha1 TYPE
+ case "$3" in
+ eval export -n -- 'cfgtype=${CONFIG_g2_aes_sha1_TYPE:-${4}}'
++ export -n -- cfgtype=p2_proposal
++ cfgtype=p2_proposal
+ '[' -n remote -a xp2_proposal '!=' xremote ']'
+ continue
root@OpenWrt:~#

(dns names and secret was changed)

the scipt /etc/firewall.ipsec:

#!/bin/sh
#/etc/ipsec/firewall.ipsec - version 2
 
. /lib/functions.sh
 
GetZone() {
  config_get zone "$1" zone vpn
}
 
GetTunnel() {
  local remote_subnet
  local local_subnet
  local local_nat
 
  config_get remote_subnet "$1" remote_subnet
  config_get local_subnet  "$1" local_subnet
  config_get local_nat     "$1" local_nat ""
  iptables -A zone_${zone}_ACCEPT -d $remote_subnet -j ACCEPT
  iptables -A zone_${zone}_ACCEPT -s $remote_subnet -j ACCEPT
  iptables -A zone_${zone}_REJECT -d $remote_subnet -j reject
  iptables -A zone_${zone}_REJECT -s $remote_subnet -j reject
  iptables -A zone_${zone}_INPUT -s $remote_subnet -j zone_${zone}
  iptables -A zone_${zone}_FORWARD -s $remote_subnet -j zone_${zone}_forward
 
  if [ "$local_nat" == "" ]; then
    iptables -t nat -A zone_${zone}_nat -d $remote_subnet -j ACCEPT
  else
    iptables -t nat -A zone_${zone}_nat -d $remote_subnet \
             -s $local_subnet -j NETMAP --to $local_nat
    iptables -t nat -A prerouting_${zone} -s $remote_subnet \
             -d $local_nat -j NETMAP --to $local_subnet
  fi
}
 
GetRemote() {
  local enabled
  local gateway
 
  config_get_bool enabled "$1" enabled 0
  config_get      gateway "$1" gateway
  [[ "$enabled" == "0" ]] && return
 
  config_list_foreach "$1" tunnel GetTunnel
}
 
GetDevice() {
  . /lib/functions/network.sh
  local interface="$1"
  network_get_device listen "$interface"
  # open IPsec endpoint
  if [ "$listen" == "" ]; then
    iptables -A zone_${zone}_gateway -p esp -j ACCEPT
    iptables -A zone_${zone}_gateway -p udp --dport 500 -j ACCEPT
    iptables -A zone_${zone}_gateway -p udp --dport 4500 -j ACCEPT
    if [ $has_ip6tables -eq 1 ]; then
      ip6tables -A zone_${zone}_gateway -p esp -j ACCEPT
      ip6tables -A zone_${zone}_gateway -p udp --dport 500 -j ACCEPT
      ip6tables -A zone_${zone}_gateway -p udp --dport 4500 -j ACCEPT
    fi
  else
    iptables -A zone_${zone}_gateway -i $listen -p esp -j ACCEPT
    iptables -A zone_${zone}_gateway -i $listen -p udp --dport 500 -j ACCEPT
    iptables -A zone_${zone}_gateway -i $listen -p udp --dport 4500 -j ACCEPT
    if [ $has_ip6tables -eq 1 ]; then
      ip6tables -A zone_${zone}_gateway -i $listen -p esp -j ACCEPT
      ip6tables -A zone_${zone}_gateway -i $listen -p udp --dport 500 -j ACCEPT
      ip6tables -A zone_${zone}_gateway -i $listen -p udp --dport 4500 -j ACCEPT
    fi
  fi
 
}
 
GetInterface() {
  config_list_foreach "$1" listen GetDevice
}
 
zone=vpn
config_load ipsec
config_foreach GetZone ipsec

if [ -x /usr/sbin/ip6tables ]; then
  has_ip6tables=1
else
  has_ip6tables=0
fi

    

iptables -F zone_${zone}_ACCEPT
if [ $has_ip6tables -eq 1 ]; then
  ip6tables -F zone_${zone}_ACCEPT
fi

iptables -N zone_${zone}_gateway
iptables -I INPUT -j zone_${zone}_gateway

if [ $has_ip6tables -eq 1 ]; then
  ip6tables -N zone_${zone}_gateway
  ip6tables -I INPUT -j zone_${zone}_gateway
fi
config_foreach GetInterface ipsec
 
iptables -t nat -F zone_${zone}_nat
iptables -t nat -I POSTROUTING 2 -j zone_${zone}_nat
iptables -t nat -I PREROUTING 2 -j zone_${zone}_prerouting
 
# sort VPN rules to top of forward zones and insert VPN reject marker afterwards
ForwardZones=`iptables -S | awk '/.N.*zone.*_forward/{print $2}' | grep -v ${zone}`
for ForwardZone in $ForwardZones ; do
  
  echo "iptables -F $ForwardZone" > /tmp/fwrebuild
  iptables -S $ForwardZone | grep zone_${zone}_ACCEPT | \
    grep -v "^-N" | awk '{ print "iptables " $0}' >> /tmp/fwrebuild

  echo "iptables -A $ForwardZone -j zone_${zone}_REJECT" >> /tmp/fwrebuild
  iptables -S $ForwardZone | grep -v zone_${zone}_ACCEPT | \
    grep -v "^-N" | awk '{ print "iptables " $0}' >> /tmp/fwrebuild
 
  chmod +x /tmp/fwrebuild
  /tmp/fwrebuild
  rm /tmp/fwrebuild
done
 
# link zone_vpn via zone_vpn_INPUT
iptables -N zone_${zone}_input
iptables -I INPUT -j zone_${zone}_input
 
# link zone_vpn_forward via zone_vpn_forward
iptables -N zone_${zone}_forward
iptables -I FORWARD -j zone_${zone}_forward
 
config_foreach GetRemote remote

just to have it complete:

root@OpenWrt:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 28 packets, 2439 bytes)
 pkts bytes target     prot opt in     out     source               destination
   35  3609 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
   28  2439 zone_vpn_prerouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   29  2216 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    6  1393 zone_wan_prerouting  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain INPUT (policy ACCEPT 7 packets, 833 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 53 packets, 3671 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 42 packets, 2861 bytes)
 pkts bytes target     prot opt in     out     source               destination
   76  5451 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
    1   107 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
   29  2211 zone_wan_postrouting  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1   107 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   29  2216 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */

Chain zone_vpn_postrouting (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 postrouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */

Chain zone_vpn_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   28  2439 prerouting_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   29  2211 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for postrouting */
   29  2211 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    6  1393 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for prerouting */
root@OpenWrt:~#

and

root@OpenWrt:~# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  249 38442 zone_vpn_input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  258 39143 zone_vpn_gateway  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  138 10585 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            ID:66773300
  208 35037 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
  174 30593 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
    4   172 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02
   23  1881 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
   11  2563 zone_wan_input  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  618  102K zone_vpn_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  656  108K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
  594  103K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
   62  4694 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300
    0     0 zone_wan_forward  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  138 10585 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            ID:66773300
  228 78417 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
  205 76495 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate RELATED,ESTABLISHED
    3   529 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300
   20  1393 zone_wan_output  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination
    6   399 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
    4   172 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    3   529 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
   57  4301 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
   57  4301 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* forwarding lan -> wan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   23  1881 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
   23  1881 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    3   529 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
    3   529 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   23  1881 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_vpn_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
  618  102K forwarding_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
  618  102K zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_gateway (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_vpn_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  249 38442 input_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
  249 38442 zone_vpn_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_output (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
    0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_vpn_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
   82  6087 ACCEPT     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   11  2563 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for input */
    4  1471 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:68 /* Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 icmptype 8 /* Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 policy match dir in pol ipsec proto 51 /* IPSEC AH */
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* IPsec ESP */
    1   693 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:500 /* IPsec ISAKMP */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 udp dpt:4500 /* IPsec NAT-T */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 ctstate DNAT /* Accept port redirections */
    6   399 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
   20  1393 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300 /* user chain for output */
   20  1393 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ID:66773300

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    6   399 reject     all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            ID:66773300
root@OpenWrt:~#

Thank you and BR

ND

nicodr, thank you for your message. Unfortunately, published version of firewall script is outdated. If I create firewall zone manually entitled "vpnfw", router creates itself following zones in table filter:

-N forwarding_vpnfw_rule
-N input_vpnfw_rule
-N output_vpnfw_rule
-N zone_vpnfw_dest_ACCEPT
-N zone_vpnfw_dest_REJECT
-N zone_vpnfw_forward
-N zone_vpnfw_input
-N zone_vpnfw_output
-N zone_vpnfw_src_REJECT

And in table nat:

-N postrouting_vpnfw_rule
-N prerouting_vpnfw_rule
-N zone_vpnfw_postrouting
-N zone_vpnfw_prerouting

There is no zone like

zone_vpn_ACCEPT

or

zone_vpn_nat

which script wants to add rules to and when encounters errors. So it will take some time for me to study previous configuration thoroughly and modify it. You can leave e-mail not to check this thread.

(Last edited by ulmwind on 16 Nov 2016, 15:46)

Hi ulmwind,

thank you for your effort! I'm realliy loocking foreward and having my fingeres crossed for that you can get that issue in that script fixed.

I'll stay tuned, thanks in advance!

Best regards

ND

Hi,
I've got the same problem, Could You ulmwind explain, where did you add these zones?
I am interested in that script fixed.
Best regards
LP

Hello everybody, Can someone help me

admin@TELPO:/# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.29, mips):
  uptime: 7 minutes, since Nov 22 10:56:16 2016
  malloc: sbrk 122880, mmap 0, used 114320, free 8560
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic uci
Listening IP addresses:
  192.168.10.1
  192.168.3.120
Connections:
   vpn-ipsec:  192.168.3.120...192.168.2.150  IKEv1 Aggressive
   vpn-ipsec:   local:  [xxx.xxx.de] uses pre-shared key authentication
   vpn-ipsec:   remote: [yyy.yyy.de] uses pre-shared key authentication
   vpn-ipsec:   child:  192.168.10.0/24 === 192.168.80.0/24 TUNNEL
Security Associations (0 up, 1 connecting):
   vpn-ipsec[1]: CONNECTING, 192.168.3.120[xxx.xxx.de]...192.168.2.150[%any]
   vpn-ipsec[1]: IKEv1 SPIs: 9ad23f5db47f9e38_i* 0000000000000000_r
   vpn-ipsec[1]: Tasks queued: QUICK_MODE
   vpn-ipsec[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE AGGRESSIVE_MODE ISAKMP_CERT_POST ISAKMP_NATD

nicodr, please, bring output of ifconfig, when tunnel is up. We should know, if the additional device appears.
pulawal, creating zone manually in LuCI.
feeling, what is the issue?

Hi,
I can't manage to repair this script.
I found as nicodr, there is no

zone_vpn_ACCEPT

and

zone_vpn_nat

My vpn is running, but i put manually into /etc/firewall.user some rules.
Your script would be fantastic, if it runs without any errors..
Maybe You will find a moment to resolve issue in this script.
Regards
L.

Hey,

the problem is: the iptables architecture has been changed.

You must change the script for the new iptables.


old: weidner.in-bad-schmiedeberg.de/archives/2012/02/ein-modell-fuer-iptables-bei-openwrt/iptables-save-model-filter-600x337.png
new: leanpub.com/site_images/derpaketfilterbeiopenwrt/iptables-save-filter-modell.png

NAT
old: weidner.in-bad-schmiedeberg.de/archives/2012/02/ein-modell-fuer-iptables-bei-openwrt/iptables-save-model-nat-600x232.png
new nat: leanpub.com/site_images/derpaketfilterbeiopenwrt/iptables-save-nat-modell.png


I hope I can help.

The discussion might have continued from here.