Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Strongswan Routing
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cdstealer
Guru
Guru


Joined: 30 Oct 2005
Posts: 423
Location: Leeds

PostPosted: Sun Oct 30, 2016 1:14 pm    Post subject: [SOLVED] Strongswan Routing Reply with quote

Hi All,
I've been trying on and off for a few weeks to get an ipsec VPN setup so I can use my phone out there in that world. I've read so many howtos/documentation etc etc that I've probably gotten myself into a confused mess. Anyway, long story short, I have installed and configured strongswan and the phone connects without issue. The only problem I have is that no successful traffic happens after that. It feels like a firewall issue and any attempt to browse just sits waiting to connect. To test this theory, I disabled both the modem/firewall and iptables with no change (turned back on straight away). So I've probably missed something, but I don't know what.

Starting strongswan gets this:
Code:
Oct 30 12:52:04 hostname ipsec[10755]: Starting strongSwan 5.5.0 IPsec [starter]...
Oct 30 12:52:04 hostname ipsec_starter[10755]: Starting strongSwan 5.5.0 IPsec [starter]...
Oct 30 12:52:04 hostname charon[10764]: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.8.5-gentoo, x86_64)
Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 30 12:52:04 hostname charon[10764]: 00[CFG]   loaded ca certificate "C=GB, O=strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 30 12:52:04 hostname charon[10764]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/vpnHostKey.pem'
Oct 30 12:52:04 hostname charon[10764]: 00[CFG]   loaded EAP secret for cdstealer
Oct 30 12:52:04 hostname charon[10764]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Oct 30 12:52:04 hostname charon[10764]: 00[CFG] loaded 0 RADIUS server configurations
Oct 30 12:52:04 hostname charon[10764]: 00[CFG] HA config misses local/remote address
Oct 30 12:52:04 hostname charon[10764]: 00[LIB] loaded plugins: charon pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-dynamic stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap xauth-pam dhcp unity
Oct 30 12:52:04 hostname charon[10764]: 00[JOB] spawning 16 worker threads
Oct 30 12:52:04 hostname ipsec[10755]: charon (10764) started after 60 ms
Oct 30 12:52:04 hostname ipsec_starter[10755]: charon (10764) started after 60 ms
Oct 30 12:52:04 hostname charon[10764]: 12[CFG] received stroke: add connection 'IPSec-Android'
Oct 30 12:52:04 hostname charon[10764]: 12[CFG] adding virtual IP address pool 10.10.11.200/24
Oct 30 12:52:04 hostname charon[10764]: 12[CFG]   loaded certificate "C=GB, O=strongSwan, CN=my.vpn.domain" from 'vpnHostCert.pem'
Oct 30 12:52:04 hostname charon[10764]: 12[CFG] added configuration 'IPSec-Android'


Everything looks OK to me.

Connecting gets this:
Code:
Oct 30 12:52:19 hostname charon[10764]: 11[NET] received packet: from 188.29.164.57[17261] to xxx.xxx.xxx.xxx[500] (612 bytes)
Oct 30 12:52:19 hostname charon[10764]: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received NAT-T (RFC 3947) vendor ID
Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received XAuth vendor ID
Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received Cisco Unity vendor ID
Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received FRAGMENTATION vendor ID
Oct 30 12:52:19 hostname charon[10764]: 11[IKE] received DPD vendor ID
Oct 30 12:52:19 hostname charon[10764]: 11[IKE] 188.29.164.57 is initiating a Main Mode IKE_SA
Oct 30 12:52:19 hostname charon[10764]: 11[IKE] 188.29.164.57 is initiating a Main Mode IKE_SA
Oct 30 12:52:19 hostname charon[10764]: 11[ENC] generating ID_PROT response 0 [ SA V V V V ]
Oct 30 12:52:19 hostname charon[10764]: 11[NET] sending packet: from xxx.xxx.xxx.xxx[500] to 188.29.164.57[17261] (160 bytes)
Oct 30 12:52:19 hostname charon[10764]: 06[NET] received packet: from 188.29.164.57[17261] to xxx.xxx.xxx.xxx[500] (252 bytes)
Oct 30 12:52:19 hostname charon[10764]: 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 30 12:52:19 hostname charon[10764]: 06[IKE] local host is behind NAT, sending keep alives
Oct 30 12:52:19 hostname charon[10764]: 06[IKE] remote host is behind NAT
Oct 30 12:52:19 hostname charon[10764]: 06[IKE] sending cert request for "C=GB, O=strongSwan, CN=strongSwan Root CA"
Oct 30 12:52:19 hostname charon[10764]: 06[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Oct 30 12:52:19 hostname charon[10764]: 06[NET] sending packet: from xxx.xxx.xxx.xxx[500] to 188.29.164.57[17261] (338 bytes)
Oct 30 12:52:19 hostname charon[10764]: 08[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (1500 bytes)
Oct 30 12:52:19 hostname charon[10764]: 08[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ]
Oct 30 12:52:19 hostname charon[10764]: 08[IKE] ignoring certificate request without data
Oct 30 12:52:19 hostname charon[10764]: 08[IKE] received end entity cert "C=GB, O=strongSwan, CN=me@urmoms.com"
Oct 30 12:52:19 hostname charon[10764]: 08[CFG] looking for XAuthInitRSA peer configs matching xxx.xxx.xxx.xxx...188.29.164.57[C=GB, O=strongSwan, CN=me@urmoms.com]
Oct 30 12:52:19 hostname charon[10764]: 08[CFG] selected peer config "IPSec-Android"
Oct 30 12:52:19 hostname charon[10764]: 08[CFG]   using certificate "C=GB, O=strongSwan, CN=me@urmoms.com"
Oct 30 12:52:19 hostname charon[10764]: 08[CFG]   using trusted ca certificate "C=GB, O=strongSwan, CN=strongSwan Root CA"
Oct 30 12:52:19 hostname charon[10764]: 08[CFG] checking certificate status of "C=GB, O=strongSwan, CN=me@urmoms.com"
Oct 30 12:52:19 hostname charon[10764]: 08[CFG] certificate status is not available
Oct 30 12:52:19 hostname charon[10764]: 08[CFG]   reached self-signed root ca with a path length of 0
Oct 30 12:52:19 hostname charon[10764]: 08[IKE] authentication of 'C=GB, O=strongSwan, CN=me@urmoms.com' with RSA_EMSA_PKCS1_NULL successful
Oct 30 12:52:19 hostname charon[10764]: 08[IKE] authentication of 'my.vpn.domain' (myself) successful
Oct 30 12:52:19 hostname charon[10764]: 08[IKE] sending end entity cert "C=GB, O=strongSwan, CN=my.vpn.domain"
Oct 30 12:52:19 hostname charon[10764]: 08[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Oct 30 12:52:19 hostname charon[10764]: 08[ENC] splitting IKE message with length of 1452 bytes into 3 fragments
Oct 30 12:52:19 hostname charon[10764]: 08[ENC] generating ID_PROT response 0 [ FRAG(1) ]
Oct 30 12:52:19 hostname charon[10764]: 08[ENC] generating ID_PROT response 0 [ FRAG(2) ]
Oct 30 12:52:19 hostname ipsec[10755]: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.8.5-gentoo, x86_64)
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG]   loaded ca certificate "C=GB, O=strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/vpnHostKey.pem'
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG]   loaded EAP secret for cdstealer
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] loaded 0 RADIUS server configurations
Oct 30 12:52:19 hostname ipsec[10755]: 00[CFG] HA config misses local/remote address
Oct 30 12:52:19 hostname ipsec[10755]: 00[LIB] loaded plugins: charon pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-dynamic stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap xauth-pam dhcp unity
Oct 30 12:52:19 hostname ipsec[10755]: 00[JOB] spawning 16 worker threads
Oct 30 12:52:19 hostname ipsec[10755]: 12[CFG] received stroke: add connection 'IPSec-Android'
Oct 30 12:52:19 hostname ipsec[10755]: 12[CFG] adding virtual IP address pool 10.10.11.200/24
Oct 30 12:52:19 hostname ipsec[10755]: 12[CFG]   loaded certificate "C=GB, O=strongSwan, CN=my.vpn.domain" from 'vpnHostCert.pem'
Oct 30 12:52:19 hostname ipsec[10755]: 12[CFG] added configuration 'IPSec-Android'
Oct 30 12:52:19 hostname ipsec[10755]: 11[NET] received packet: from 188.29.164.57[17261] to xxx.xxx.xxx.xxx[500] (612 bytes)
Oct 30 12:52:19 hostname ipsec[10755]: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received NAT-T (RFC 3947) vendor ID
Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received XAuth vendor ID
Oct 30 12:52:19 hostname charon[10764]: 08[ENC] generating ID_PROT response 0 [ FRAG(3/3) ]
Oct 30 12:52:19 hostname charon[10764]: 08[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (544 bytes)
Oct 30 12:52:19 hostname charon[10764]: 08[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (544 bytes)
Oct 30 12:52:19 hostname charon[10764]: 08[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (472 bytes)
Oct 30 12:52:19 hostname charon[10764]: 08[ENC] generating TRANSACTION request 3541450630 [ HASH CPRQ(X_USER X_PWD) ]
Oct 30 12:52:19 hostname charon[10764]: 08[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (92 bytes)
Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received Cisco Unity vendor ID
Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received FRAGMENTATION vendor ID
Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] received DPD vendor ID
Oct 30 12:52:19 hostname ipsec[10755]: 11[IKE] 188.29.164.57 is initiating a Main Mode IKE_SA
Oct 30 12:52:19 hostname ipsec[10755]: 11[ENC] generating ID_PROT response 0 [ SA V V V V ]
Oct 30 12:52:19 hostname ipsec[10755]: 11[NET] sending packet: from xxx.xxx.xxx.xxx[500] to 188.29.164.57[17261] (160 bytes)
Oct 30 12:52:19 hostname ipsec[10755]: 06[NET] received packet: from 188.29.164.57[17261] to xxx.xxx.xxx.xxx[500] (252 bytes)
Oct 30 12:52:19 hostname ipsec[10755]: 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 30 12:52:19 hostname ipsec[10755]: 06[IKE] local host is behind NAT, sending keep alives
Oct 30 12:52:19 hostname ipsec[10755]: 06[IKE] remote host is behind NAT
Oct 30 12:52:19 hostname ipsec[10755]: 06[IKE] sending cert request for "C=GB, O=strongSwan, CN=strongSwan Root CA"
Oct 30 12:52:19 hostname ipsec[10755]: 06[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Oct 30 12:52:19 hostname ipsec[10755]: 06[NET] sending packet: from xxx.xxx.xxx.xxx[500] to 188.29.164.57[17261] (338 bytes)
Oct 30 12:52:19 hostname ipsec[10755]: 08[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (1500 bytes)
Oct 30 12:52:19 hostname ipsec[10755]: 08[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ]
Oct 30 12:52:19 hostname ipsec[10755]: 08[IKE] ignoring certificate request without data
Oct 30 12:52:19 hostname ipsec[10755]: 08[IKE] received end entity cert "C=GB, O=strongSwan, CN=me@urmoms.com"
Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG] looking for XAuthInitRSA peer configs matching xxx.xxx.xxx.xxx...188.29.164.57[C=GB, O=strongSwan, CN=me@urmoms.com]
Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG] selected peer config "IPSec-Android"
Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG]   using certificate "C=GB, O=strongSwan, CN=me@urmoms.com"
Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG]   using trusted ca certificate "C=GB, O=strongSwan, CN=strongSwan Root CA"
Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG] checking certificate status of "C=GB, O=strongSwan, CN=me@urmoms.com"
Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG] certificate status is not available
Oct 30 12:52:19 hostname ipsec[10755]: 08[CFG]   reached self-signed root ca with a path length of 0
Oct 30 12:52:19 hostname ipsec[10755]: 08[IKE] authentication of 'C=GB, O=strongSwan, CN=me@urmoms.com' with RSA_EMSA_PKCS1_NULL successful
Oct 30 12:52:19 hostname ipsec[10755]: 08[IKE] authentication of 'my.vpn.domain' (myself) successful
Oct 30 12:52:19 hostname ipsec[10755]: 08[IKE] sending end entity cert "C=GB, O=strongSwan, CN=my.vpn.domain"
Oct 30 12:52:19 hostname ipsec[10755]: 08[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Oct 30 12:52:19 hostname ipsec[10755]: 08[ENC] splitting IKE message with length of 1452 bytes into 3 fragments
Oct 30 12:52:19 hostname ipsec[10755]: 08[ENC] generating ID_PROT response 0 [ FRAG(1) ]
Oct 30 12:52:19 hostname ipsec[10755]: 08[ENC] generating ID_PROT response 0 [ FRAG(2) ]
Oct 30 12:52:20 hostname charon[10764]: 11[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (124 bytes)
Oct 30 12:52:20 hostname charon[10764]: 11[ENC] parsed INFORMATIONAL_V1 request 3109798655 [ HASH N(INITIAL_CONTACT) ]
Oct 30 12:52:20 hostname charon[10764]: 14[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (124 bytes)
Oct 30 12:52:20 hostname charon[10764]: 14[ENC] parsed TRANSACTION response 3541450630 [ HASH CPRP(X_USER X_PWD) ]
Oct 30 12:52:20 hostname charon[10764]: 14[IKE] XAuth authentication of 'cdstealer' successful
Oct 30 12:52:20 hostname charon[10764]: 14[ENC] generating TRANSACTION request 3279408097 [ HASH CPS(X_STATUS) ]
Oct 30 12:52:20 hostname charon[10764]: 14[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (92 bytes)
Oct 30 12:52:20 hostname charon[10764]: 07[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (108 bytes)
Oct 30 12:52:20 hostname charon[10764]: 07[ENC] parsed TRANSACTION response 3279408097 [ HASH CPA(X_STATUS) ]
Oct 30 12:52:20 hostname charon[10764]: 07[IKE] IKE_SA IPSec-Android[1] established between xxx.xxx.xxx.xxx[my.vpn.domain]...188.29.164.57[C=GB, O=strongSwan, CN=me@urmoms.com]
Oct 30 12:52:20 hostname charon[10764]: 07[IKE] IKE_SA IPSec-Android[1] established between xxx.xxx.xxx.xxx[my.vpn.domain]...188.29.164.57[C=GB, O=strongSwan, CN=me@urmoms.com]
Oct 30 12:52:20 hostname charon[10764]: 07[IKE] scheduling reauthentication in 9730s
Oct 30 12:52:20 hostname charon[10764]: 07[IKE] maximum IKE_SA lifetime 10270s
Oct 30 12:52:20 hostname charon[10764]: 10[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (140 bytes)
Oct 30 12:52:20 hostname charon[10764]: 10[ENC] parsed TRANSACTION request 2322239353 [ HASH CPRQ(ADDR MASK DNS NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]
Oct 30 12:52:20 hostname charon[10764]: 10[IKE] peer requested virtual IP %any
Oct 30 12:52:20 hostname charon[10764]: 10[CFG] assigning new lease to 'cdstealer'
Oct 30 12:52:20 hostname charon[10764]: 10[IKE] assigning virtual IP 10.10.11.200 to peer 'cdstealer'
Oct 30 12:52:20 hostname charon[10764]: 10[ENC] generating TRANSACTION response 2322239353 [ HASH CPRP(ADDR) ]
Oct 30 12:52:20 hostname charon[10764]: 10[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (92 bytes)
Oct 30 12:52:20 hostname charon[10764]: 11[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (476 bytes)
Oct 30 12:52:20 hostname charon[10764]: 11[ENC] parsed QUICK_MODE request 3136888957 [ HASH SA No ID ID ]
Oct 30 12:52:20 hostname charon[10764]: 11[IKE] received 28800s lifetime, configured 3600s
Oct 30 12:52:20 hostname charon[10764]: 11[ENC] generating QUICK_MODE response 3136888957 [ HASH SA No ID ID ]
Oct 30 12:52:20 hostname charon[10764]: 11[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to 188.29.164.57[17209] (188 bytes)
Oct 30 12:52:21 hostname charon[10764]: 06[NET] received packet: from 188.29.164.57[17209] to xxx.xxx.xxx.xxx[4500] (92 bytes)
Oct 30 12:52:21 hostname charon[10764]: 06[ENC] parsed QUICK_MODE request 3136888957 [ HASH ]
Oct 30 12:52:21 hostname charon[10764]: 06[IKE] CHILD_SA IPSec-Android{1} established with SPIs ced0dc81_i 058ff1c1_o and TS 0.0.0.0/0 === 10.10.11.200/32
Oct 30 12:52:21 hostname charon[10764]: 06[IKE] CHILD_SA IPSec-Android{1} established with SPIs ced0dc81_i 058ff1c1_o and TS 0.0.0.0/0 === 10.10.11.200/32


Strongswan adds these 2 lines to iptables:
Code:
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.10.11.200         0.0.0.0/0            policy match dir in pol ipsec reqid 1 proto 50
ACCEPT     all  --  0.0.0.0/0            10.10.11.200         policy match dir out pol ipsec reqid 1 proto 50


This is my ipsec.conf:
Code:
config setup
        uniqueids=never
        #charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
        keyexchange=ike
        dpdaction=restart
        dpddelay=300s
        reauth=yes
        aggressive=no
        fragmentation=yes
        type=tunnel
        forceencaps=yes
        rightauth=pubkey
        rightauth2=xauth
        modeconfig=pull
        auto=add
        closeaction=clear
        compress=no

conn IPSec-Android
        left=my.vpn.domain
        leftsubnet=0.0.0.0/0
        leftcert=vpnHostCert.pem
        leftsendcert=always
        leftfirewall=yes
        right=%any
        rightid=%any
        rightsubnet=10.10.11.0/24
        rightsourceip=10.10.11.200/24
        rightsendcert=ifasked


Thanks muchly and please forgive my potential stupidity :\ If you need any further info, please don't hesitate to ask.
_________________
# touch it
touch: cannot touch `it': Permission denied


Last edited by cdstealer on Mon Nov 14, 2016 7:52 pm; edited 1 time in total
Back to top
View user's profile Send private message
cdstealer
Guru
Guru


Joined: 30 Oct 2005
Posts: 423
Location: Leeds

PostPosted: Mon Nov 14, 2016 7:52 pm    Post subject: Reply with quote

Yay.. after a couple of weeks dicking about. I think I've done it :)

I've sparsely documented my setup https://cdblog.cdstealer.com/?p=1231

I'm still working on it, but the main guts of it are there. It's mainly a braindump for me, but if anyone finds it useful, then I'm happy.

Thanks
CD
_________________
# touch it
touch: cannot touch `it': Permission denied
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum