IPsec (Strongswan) testing... help needed urgently

Matthias May matthias.may at westermo.com
Fri Nov 27 14:38:09 EST 2020


On 27/11/2020 19:14, Philip Prindeville wrote:
> Hi,
> 
> I’m working on a PR to add X.509 certificates to Strongswan for authentication and that all seems to be working fine:
> 
> https://urldefense.com/v3/__https://github.com/openwrt/packages/pull/14028__;!!I9LPvj3b!XqJgJCi-P06au0EVChYdDT9yDGqBhoAn-1RAaa7TwM8adhFUNLSF3m_tjUIDs_smTQ$ 
> 
> 
> But I can’t figure out why my traffic isn’t being passed, even though the tunnel comes up:
> 
> *snipped*


Hi
See https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Also: https://en.wikipedia.org/wiki/Netfilter#/media/File:Netfilter-packet-flow.svg
xfrm lookup happens after the first round of postrouting NAT, thus you need something to accept the frames before they
are NATed.
This should be taken care of by your
config zone
	option name		vpn
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT
	option subnet		'192.168.1.0/24'
	option extra_src	'-m policy --dir in --pol ipsec --proto esp'
	option extra_dest	'-m policy --dir out --pol ipsec --proto esp'
	option mtu_fix		1

Can you show the output of
iptable -t nat -nvL

Another thing i could think of, is that your routing table entries are missing.
Usually strongswan would take care to set this up, but if you have
charon.install_routes = no
that would mean you have to manually take care to set the routes up.

What does your
ip rule
and ip route show table 220
show?
Table 220 is the "default" for ipsec, but may be another value depending on configuration.

BR
Matthias



More information about the openwrt-devel mailing list