I have about the same problem. Previously, I used xl2tpd and racoon, but I am trying to switch to strongSwan. After creating the certificates or using PSK, I now have a roadwarrior connected. The tunnel is established, but no traffic is routed in any direction. First, my configuration:
strongswan.conf:
charon {
threads = 16
#dns is lan-addres of my openwrt router
dns1 = 192.168.196.100
nbns1 = 192.168.196.100
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
dhcp {
#needed for dhcp plugin to work with dnsmasq
force_server_address = yes
server = 192.168.196.255
}
}
}
ipsec.conf:
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default
auto=add
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=router.avbohemen.lok
leftsubnet=0.0.0.0,::0
leftfirewall=yes
rightsourceip=%dhcp
esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096!
ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096!
conn ikev2-windows
keyexchange=ikev2
leftauth=pubkey
leftcert=VPNrouterCert.pem
leftsendcert=always
right=%any
rightauth=pubkey
rightcert=clientCert.pem
conn ikev2-iphone
keyexchange=ikev2
leftauth=psk
right=%any
rightid=iphone
rightauth=psk
firewall:
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option subnet '192.168.196.0/24'
I want to have my VPN clients to use the same subnet as my internal LAN, no fiddling with zones, no extra routes, simple firewall rules, just the way it always worked with xl2tpd/racoon. However, after connecting, I cannot ping the assigned ip, and from the vpn client I cannot reach anything. Moreover, after the configured 300 seconds, dead peer detection (dpd) kicks in and disconnects the client. Log:
Mon Dec 28 23:37:09 2015 daemon.info : 13[NET] received packet: from 109.32.64.67[500] to 94.210.184.83[500] (388 bytes)
Mon Dec 28 23:37:09 2015 daemon.info : 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mon Dec 28 23:37:09 2015 daemon.info : 13[IKE] 109.32.64.67 is initiating an IKE_SA
Mon Dec 28 23:37:09 2015 authpriv.info : 13[IKE] 109.32.64.67 is initiating an IKE_SA
Mon Dec 28 23:37:09 2015 daemon.info : 13[IKE] sending cert request for "C=NL, O=Home, CN=Router Root CA"
Mon Dec 28 23:37:09 2015 daemon.info : 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mon Dec 28 23:37:09 2015 daemon.info : 13[NET] sending packet: from 94.210.184.83[500] to 109.32.64.67[500] (337 bytes)
Mon Dec 28 23:37:09 2015 daemon.info : 01[NET] received packet: from 109.32.64.67[4500] to 94.210.184.83[4500] (460 bytes)
Mon Dec 28 23:37:09 2015 daemon.info : 01[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Mon Dec 28 23:37:09 2015 daemon.info : 01[CFG] looking for peer configs matching 94.210.184.83[router.avbohemen.lok]...109.32.64.67[iphone]
Mon Dec 28 23:37:09 2015 daemon.info : 01[CFG] selected peer config 'ikev2-iphone'
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] authentication of 'iphone' with pre-shared key successful
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] peer supports MOBIKE
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] authentication of 'router.avbohemen.lok' (myself) with pre-shared key
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] IKE_SA ikev2-iphone[1] established between 94.210.184.83[router.avbohemen.lok]...109.32.64.67[iphone]
Mon Dec 28 23:37:09 2015 authpriv.info : 01[IKE] IKE_SA ikev2-iphone[1] established between 94.210.184.83[router.avbohemen.lok]...109.32.64.67[iphone]
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] peer requested virtual IP %any
Mon Dec 28 23:37:09 2015 daemon.info : 01[CFG] sending DHCP DISCOVER to 192.168.196.255
Mon Dec 28 23:37:10 2015 daemon.info : 01[CFG] sending DHCP DISCOVER to 192.168.196.255
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPDISCOVER(br-lan) 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPOFFER(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPDISCOVER(br-lan) 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPOFFER(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info : 11[CFG] received DHCP OFFER 192.168.196.20 from 192.168.196.100
Mon Dec 28 23:37:12 2015 daemon.info : 01[CFG] sending DHCP REQUEST for 192.168.196.20 to 192.168.196.100
Mon Dec 28 23:37:12 2015 daemon.info : 01[CFG] sending DHCP REQUEST for 192.168.196.20 to 192.168.196.100
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPREQUEST(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPACK(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4 iphone
Mon Dec 28 23:37:12 2015 daemon.info : 12[CFG] received DHCP ACK for 192.168.196.20
Mon Dec 28 23:37:12 2015 daemon.info : 01[IKE] assigning virtual IP 192.168.196.20 to peer 'iphone'
Mon Dec 28 23:37:12 2015 daemon.info : 01[IKE] peer requested virtual IP %any6
Mon Dec 28 23:37:12 2015 daemon.info : 01[IKE] no virtual IP found for %any6 requested by 'iphone'
Mon Dec 28 23:37:12 2015 daemon.info : 01[IKE] CHILD_SA ikev2-iphone{1} established with SPIs c8e7a81a_i 0e3f4b4b_o and TS 0.0.0.0/32 ::/128 === 192.168.196.20/32
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPREQUEST(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPACK(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4 iphone
Mon Dec 28 23:37:12 2015 authpriv.info : 01[IKE] CHILD_SA ikev2-iphone{1} established with SPIs c8e7a81a_i 0e3f4b4b_o and TS 0.0.0.0/32 ::/128 === 192.168.196.20/32
Mon Dec 28 23:37:12 2015 local0.notice vpn: + iphone 192.168.196.20/32 == 109.32.64.67 -- 94.210.184.83 == 0.0.0.0/32
Mon Dec 28 23:37:12 2015 daemon.info : 01[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS NBNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Mon Dec 28 23:37:12 2015 daemon.info : 01[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (348 bytes)
Mon Dec 28 23:42:09 2015 daemon.info : 13[IKE] sending DPD request
Mon Dec 28 23:42:09 2015 daemon.info : 13[ENC] generating INFORMATIONAL request 0 [ ]
Mon Dec 28 23:42:09 2015 daemon.info : 13[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:42:13 2015 daemon.info : 15[IKE] retransmit 1 of request with message ID 0
Mon Dec 28 23:42:13 2015 daemon.info : 15[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:42:21 2015 daemon.info : 01[IKE] retransmit 2 of request with message ID 0
Mon Dec 28 23:42:21 2015 daemon.info : 01[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:42:34 2015 daemon.info : 14[IKE] retransmit 3 of request with message ID 0
Mon Dec 28 23:42:34 2015 daemon.info : 14[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:42:57 2015 daemon.info : 14[IKE] retransmit 4 of request with message ID 0
Mon Dec 28 23:42:57 2015 daemon.info : 14[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:43:39 2015 daemon.info : 13[IKE] retransmit 5 of request with message ID 0
Mon Dec 28 23:43:39 2015 daemon.info : 13[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:44:54 2015 daemon.info : 11[IKE] giving up after 5 retransmits
Mon Dec 28 23:44:55 2015 local0.notice vpn: - iphone 192.168.196.20/32 == 109.32.64.67 -- 94.210.184.83 == 0.0.0.0/32
Mon Dec 28 23:44:55 2015 daemon.info : 11[CFG] sending DHCP RELEASE for 192.168.196.20 to 192.168.196.100
Mon Dec 28 23:44:55 2015 daemon.info dnsmasq-dhcp[1934]: DHCPRELEASE(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4
If I use a separate zone for vpn clients, and configure forwarding between the vpn and lan zones, the same thing happens: no traffic whatsoever. I tried the iptables rules from mikma above, but no change. I tried several other configurations, with and without leftfirewall=yes, manual iptables config, etc, no change. So, where to go next to find what's wrong?
BTW, when I was testing with a separate zone, I noticed that no routes were added. I guessed that without a separate zone, I don't need an extra route since everything is in the same subnet. But with a separate zone, "ip route list table 220" remained empty. Did I miss anything there in my configuration?
(Last edited by avbohemen on 29 Dec 2015, 00:28)