IPsec (Strongswan) testing... help needed urgently
Matthias May
matthias.may at westermo.com
Fri Nov 27 14:38:09 EST 2020
On 27/11/2020 19:14, Philip Prindeville wrote:
> Hi,
>
> I’m working on a PR to add X.509 certificates to Strongswan for authentication and that all seems to be working fine:
>
> https://urldefense.com/v3/__https://github.com/openwrt/packages/pull/14028__;!!I9LPvj3b!XqJgJCi-P06au0EVChYdDT9yDGqBhoAn-1RAaa7TwM8adhFUNLSF3m_tjUIDs_smTQ$
>
>
> But I can’t figure out why my traffic isn’t being passed, even though the tunnel comes up:
>
> *snipped*
Hi
See https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Also: https://en.wikipedia.org/wiki/Netfilter#/media/File:Netfilter-packet-flow.svg
xfrm lookup happens after the first round of postrouting NAT, thus you need something to accept the frames before they
are NATed.
This should be taken care of by your
config zone
option name vpn
option input ACCEPT
option output ACCEPT
option forward ACCEPT
option subnet '192.168.1.0/24'
option extra_src '-m policy --dir in --pol ipsec --proto esp'
option extra_dest '-m policy --dir out --pol ipsec --proto esp'
option mtu_fix 1
Can you show the output of
iptable -t nat -nvL
Another thing i could think of, is that your routing table entries are missing.
Usually strongswan would take care to set this up, but if you have
charon.install_routes = no
that would mean you have to manually take care to set the routes up.
What does your
ip rule
and ip route show table 220
show?
Table 220 is the "default" for ipsec, but may be another value depending on configuration.
BR
Matthias
More information about the openwrt-devel
mailing list