OpenWrt Forum Archive

Topic: StrongSwan: Tunnel established, but no packets routed

The content of this topic has been archived on 8 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I am running OpenWrt CHAOS CALMER (15.05, r46767) on an Archer C7 router and am trying to set up a VPN connection to a server running StrongSwan 5.1.3 on openSUSE 13.2. The OpenWrt router is running StrongSwan 5.3.3.

The VPN tunnel appears to be established:

root@OpenWrt:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
  uptime: 6 seconds, since Nov 24 11:31:22 2015
  malloc: sbrk 266240, mmap 0, used 244664, free 21576
  worker threads: 5 of 16 idle, 7/0/4/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck uci addrblock unity
Listening IP addresses:
  188.192.80.168
  192.168.1.1
  fd4c:dd00:f364::1
Connections:
racoon-cougarnet:  %any...88.198.76.220  IKEv1/2
racoon-cougarnet:   local:  [cougar.tvdr.de] uses pre-shared key authentication
racoon-cougarnet:   remote: [racoon.tvdr.de] uses pre-shared key authentication
racoon-cougarnet:   child:  192.168.1.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
racoon-cougarnet[1]: ESTABLISHED 5 seconds ago, 188.192.80.168[cougar.tvdr.de]...88.198.76.220[racoon.tvdr.de]
racoon-cougarnet[1]: IKEv2 SPIs: 2972d0a6bd47cf6b_i* 5cb617e06f41af12_r, pre-shared key reauthentication in 2 hours
racoon-cougarnet[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
racoon-cougarnet{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: e913bda6_i c737469e_o
racoon-cougarnet{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
racoon-cougarnet{1}:   192.168.1.0/24 === 88.198.76.220/32

but I can't ping, traceroute or ssh from either side.
Does anybody here have an idea what could be wrong with this? My guess would be something about the firewall setup, but no matter what I've tried so far, nothing worked.

Since this is my first post in this forum, I didn't want to clog it with lots of potentially unnecessary information. If you could just tell me what files or data you need in order to investigate this, I'd gladly post it.

Klaus

I use custom firewall rules on my openwrt router with strongswan. I don't know if they are of any use for others but I include them anyway.

iptables -t nat -A prerouting_wan_rule -m policy --dir in --pol ipsec -j ACCEPT
iptables -t nat -A postrouting_wan_rule -m policy --dir out --pol ipsec -j ACCEPT

# VPNs are in the VPN zone
iptables -A forwarding_rule -m policy --dir in --pol ipsec -m conntrack --ctstate NEW -j zone_vpn_forward

# Input from VPNs
iptables -A input_wan_rule -m policy --dir in --pol ipsec -m conntrack --ctstate NEW -j ACCEPT

(Last edited by mikma on 24 Nov 2015, 22:58)

There is no zone_vpn_forward in my firewall setup.
Can you tell me how you created that one?

Klaus

I have about the same problem. Previously, I used xl2tpd and racoon, but I am trying to switch to strongSwan. After creating the certificates or using PSK, I now have a roadwarrior connected. The tunnel is established, but no traffic is routed in any direction. First, my configuration:

strongswan.conf:

charon {
        threads = 16
        #dns is lan-addres of my openwrt router
        dns1 = 192.168.196.100
        nbns1 = 192.168.196.100
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
                dhcp {
                        #needed for dhcp plugin to work with dnsmasq
                        force_server_address = yes
                        server = 192.168.196.255
                }
        }
}

ipsec.conf:

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.
conn %default
        auto=add
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        leftid=router.avbohemen.lok
        leftsubnet=0.0.0.0,::0
        leftfirewall=yes
        rightsourceip=%dhcp
        esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096!
        ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096!

conn ikev2-windows
        keyexchange=ikev2
        leftauth=pubkey
        leftcert=VPNrouterCert.pem
        leftsendcert=always
        right=%any
        rightauth=pubkey
        rightcert=clientCert.pem

conn ikev2-iphone
        keyexchange=ikev2
        leftauth=psk
        right=%any
        rightid=iphone
        rightauth=psk

firewall:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option subnet '192.168.196.0/24'

I want to have my VPN clients to use the same subnet as my internal LAN, no fiddling with zones, no extra routes, simple firewall rules, just the way it always worked with xl2tpd/racoon. However, after connecting, I cannot ping the assigned ip, and from the vpn client I cannot reach anything. Moreover, after the configured 300 seconds, dead peer detection (dpd) kicks in and disconnects the client. Log:

Mon Dec 28 23:37:09 2015 daemon.info : 13[NET] received packet: from 109.32.64.67[500] to 94.210.184.83[500] (388 bytes)
Mon Dec 28 23:37:09 2015 daemon.info : 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mon Dec 28 23:37:09 2015 daemon.info : 13[IKE] 109.32.64.67 is initiating an IKE_SA
Mon Dec 28 23:37:09 2015 authpriv.info : 13[IKE] 109.32.64.67 is initiating an IKE_SA
Mon Dec 28 23:37:09 2015 daemon.info : 13[IKE] sending cert request for "C=NL, O=Home, CN=Router Root CA"
Mon Dec 28 23:37:09 2015 daemon.info : 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mon Dec 28 23:37:09 2015 daemon.info : 13[NET] sending packet: from 94.210.184.83[500] to 109.32.64.67[500] (337 bytes)
Mon Dec 28 23:37:09 2015 daemon.info : 01[NET] received packet: from 109.32.64.67[4500] to 94.210.184.83[4500] (460 bytes)
Mon Dec 28 23:37:09 2015 daemon.info : 01[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Mon Dec 28 23:37:09 2015 daemon.info : 01[CFG] looking for peer configs matching 94.210.184.83[router.avbohemen.lok]...109.32.64.67[iphone]
Mon Dec 28 23:37:09 2015 daemon.info : 01[CFG] selected peer config 'ikev2-iphone'
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] authentication of 'iphone' with pre-shared key successful
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] peer supports MOBIKE
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] authentication of 'router.avbohemen.lok' (myself) with pre-shared key
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] IKE_SA ikev2-iphone[1] established between 94.210.184.83[router.avbohemen.lok]...109.32.64.67[iphone]
Mon Dec 28 23:37:09 2015 authpriv.info : 01[IKE] IKE_SA ikev2-iphone[1] established between 94.210.184.83[router.avbohemen.lok]...109.32.64.67[iphone]
Mon Dec 28 23:37:09 2015 daemon.info : 01[IKE] peer requested virtual IP %any
Mon Dec 28 23:37:09 2015 daemon.info : 01[CFG] sending DHCP DISCOVER to 192.168.196.255
Mon Dec 28 23:37:10 2015 daemon.info : 01[CFG] sending DHCP DISCOVER to 192.168.196.255
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPDISCOVER(br-lan) 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPOFFER(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPDISCOVER(br-lan) 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPOFFER(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info : 11[CFG] received DHCP OFFER 192.168.196.20 from 192.168.196.100
Mon Dec 28 23:37:12 2015 daemon.info : 01[CFG] sending DHCP REQUEST for 192.168.196.20 to 192.168.196.100
Mon Dec 28 23:37:12 2015 daemon.info : 01[CFG] sending DHCP REQUEST for 192.168.196.20 to 192.168.196.100
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPREQUEST(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPACK(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4 iphone
Mon Dec 28 23:37:12 2015 daemon.info : 12[CFG] received DHCP ACK for 192.168.196.20
Mon Dec 28 23:37:12 2015 daemon.info : 01[IKE] assigning virtual IP 192.168.196.20 to peer 'iphone'
Mon Dec 28 23:37:12 2015 daemon.info : 01[IKE] peer requested virtual IP %any6
Mon Dec 28 23:37:12 2015 daemon.info : 01[IKE] no virtual IP found for %any6 requested by 'iphone'
Mon Dec 28 23:37:12 2015 daemon.info : 01[IKE] CHILD_SA ikev2-iphone{1} established with SPIs c8e7a81a_i 0e3f4b4b_o and TS 0.0.0.0/32 ::/128 === 192.168.196.20/32
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPREQUEST(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4
Mon Dec 28 23:37:12 2015 daemon.info dnsmasq-dhcp[1934]: DHCPACK(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4 iphone
Mon Dec 28 23:37:12 2015 authpriv.info : 01[IKE] CHILD_SA ikev2-iphone{1} established with SPIs c8e7a81a_i 0e3f4b4b_o and TS 0.0.0.0/32 ::/128 === 192.168.196.20/32
Mon Dec 28 23:37:12 2015 local0.notice vpn: + iphone 192.168.196.20/32 == 109.32.64.67 -- 94.210.184.83 == 0.0.0.0/32
Mon Dec 28 23:37:12 2015 daemon.info : 01[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS NBNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Mon Dec 28 23:37:12 2015 daemon.info : 01[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (348 bytes)
Mon Dec 28 23:42:09 2015 daemon.info : 13[IKE] sending DPD request
Mon Dec 28 23:42:09 2015 daemon.info : 13[ENC] generating INFORMATIONAL request 0 [ ]
Mon Dec 28 23:42:09 2015 daemon.info : 13[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:42:13 2015 daemon.info : 15[IKE] retransmit 1 of request with message ID 0
Mon Dec 28 23:42:13 2015 daemon.info : 15[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:42:21 2015 daemon.info : 01[IKE] retransmit 2 of request with message ID 0
Mon Dec 28 23:42:21 2015 daemon.info : 01[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:42:34 2015 daemon.info : 14[IKE] retransmit 3 of request with message ID 0
Mon Dec 28 23:42:34 2015 daemon.info : 14[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:42:57 2015 daemon.info : 14[IKE] retransmit 4 of request with message ID 0
Mon Dec 28 23:42:57 2015 daemon.info : 14[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:43:39 2015 daemon.info : 13[IKE] retransmit 5 of request with message ID 0
Mon Dec 28 23:43:39 2015 daemon.info : 13[NET] sending packet: from 94.210.184.83[4500] to 109.32.64.67[4500] (76 bytes)
Mon Dec 28 23:44:54 2015 daemon.info : 11[IKE] giving up after 5 retransmits
Mon Dec 28 23:44:55 2015 local0.notice vpn: - iphone 192.168.196.20/32 == 109.32.64.67 -- 94.210.184.83 == 0.0.0.0/32
Mon Dec 28 23:44:55 2015 daemon.info : 11[CFG] sending DHCP RELEASE for 192.168.196.20 to 192.168.196.100
Mon Dec 28 23:44:55 2015 daemon.info dnsmasq-dhcp[1934]: DHCPRELEASE(br-lan) 192.168.196.20 7a:a7:86:14:fa:f4

If I use a separate zone for vpn clients, and configure forwarding between the vpn and lan zones, the same thing happens: no traffic whatsoever. I tried the iptables rules from mikma above, but no change. I tried several other configurations, with and without leftfirewall=yes, manual iptables config, etc, no change. So, where to go next to find what's wrong?

BTW, when I was testing with a separate zone, I noticed that no routes were added. I guessed that without a separate zone, I don't need an extra route since everything is in the same subnet. But with a separate zone, "ip route list table 220" remained empty. Did I miss anything there in my configuration?

(Last edited by avbohemen on 29 Dec 2015, 00:28)

Try 'auto=start' and 'installpolicy=yes' in your %default profile

These may not be relevant with recent versions of StrongSwan but the last time I used it your config surely wouldn't route anything.

I thought 'auto=start' was for site-to-site VPNs, not for roadwarriors. And 'installpolicy=yes' is the default nowadays. Anyway, I tried both options. 'auto=start' gave an error as expected, and 'installpolicy=yes' did not help either.

Any other suggestions?

D$mn, found it. I just had to change:

leftsubnet=0.0.0.0,::0

to

leftsubnet=0.0.0.0/0,::0/0

Otherwise, no subnets at all were allowed...

However, at the moment I can reach my local lan from a VPN client, but I have no internet access.

(Last edited by avbohemen on 4 Jan 2016, 13:20)

The discussion might have continued from here.