Strongswan VPN client doesn't route

G

gambit99

I have installed Strongswan 5.0.4 on FreeBSD 9.1 and the Strongswan client on an Android phone. The VPN connection is successfully established but no data is routed and I can't ping the client from the FreeBSD server. The Android phone has no Internet connection.

Any thoughts on what may be wrong? I've looked at the Strongswan examples but didn't see anything obviously wrong with my configuration. The following are configuration setting on the server (although I've changed the public IP addresses).

I have the following in my ipsec.conf file
Code: 
config setup
	charondebug="ike 4, net 4, mgr 4, chd 4, lib 4"

conn Android
	keyingtries=1
	keyexchange=ikev2
	left=%any
	leftsubnet=0.0.0.0/0
	leftauth=public
	leftcert=home.pem
	right=%any
	rightsourceip=192.168.4.0/24
	rightauth=public
	auto=add

Code: 
netstat -nr shows:
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            55.55.232.1        UGS         0  1171548   fxp0
55.55.232.0/21     link#7             U           0        0   fxp0
55.55.238.194      link#7             UHS         0        0    lo0
127.0.0.1          link#9             UH          0      116    lo0
192.168.1.0/24     192.168.4.2        UGS         0     4388    re0
192.168.4.0/24     link#6             U           0  1237005    re0
192.168.4.1        link#6             UHS         0        0    lo0

The output from starting the IPFW firewall is as follows:
Code: 
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 deny log logamount 5 ip from 192.168.4.255 to any in via fxp0
01200 deny log logamount 5 ip from 255.255.255.255 to any in via re0
01300 deny log logamount 5 ip from any to 10.0.0.0/8 via fxp0
01400 deny log logamount 5 ip from any to 172.16.0.0/12 via fxp0
01500 deny log logamount 5 ip from any to 192.168.0.0/16 via fxp0
01600 deny log logamount 5 ip from any to 0.0.0.0/8 via fxp0
01700 deny log logamount 5 ip from any to 169.254.0.0/16 via fxp0
01800 deny log logamount 5 ip from any to 192.0.2.0/24 via fxp0
01900 deny log logamount 5 ip from any to 224.0.0.0/4 via fxp0
02000 deny log logamount 5 ip from any to 240.0.0.0/4 via fxp0
01500 allow udp from any to any dst-port 500 keep-state
01510 allow udp from any 500 to any keep-state
01520 allow udp from any to any dst-port 4500 keep-state
01530 allow udp from any 4500 to any keep-state
01540 allow esp from any to any
01550 allow ah from any to any
01560 allow ipencap from any to any
02100 divert 8668 ip4 from any to any via fxp0
ipfw nat 1 config ip 50.88.238.194 log
02000 nat 1 ip from any to any via fxp0
03000 deny log logamount 5 ip from 10.0.0.0/8 to any via fxp0 not ipsec
03010 deny log logamount 5 ip from 172.16.0.0/12 to any via fxp0 not ipsec
03020 deny log logamount 5 ip from 192.168.0.0/16 to any recv fxp0 not ipsec
04000 allow ip from any to 192.168.0.0/16 via fxp0
04100 deny log logamount 5 ip from 0.0.0.0/8 to any via fxp0
04200 deny log logamount 5 ip from 169.254.0.0/16 to any via fxp0
04300 deny log logamount 5 ip from 192.0.2.0/24 to any via fxp0
04400 deny log logamount 5 ip from 224.0.0.0/4 to any via fxp0
04500 deny log logamount 5 ip from 240.0.0.0/4 to any via fxp0
04600 allow tcp from any to any established
04700 allow ip from any to any frag
04800 allow tcp from any to me dst-port 25 setup
04900 allow tcp from any to me dst-port 53 setup
05000 allow udp from any to me dst-port 53
05100 allow udp from me 53 to any
05200 allow tcp from any to me dst-port 80 setup
05300 deny log logamount 5 ip4 from any to any in via fxp0 setup proto tcp
05400 allow tcp from any to any setup
05500 allow udp from me to any dst-port 53 keep-state
05600 allow udp from me to any dst-port 123 keep-state
05700 allow icmp from any to any
65000 allow ip from any to any
Firewall rules loaded.
Firewall logging enabled.
Starting natd.
 
Looks like your NAT configuration is missing something. I do not think that this is caused by the VPN server configuration. I had a similar issue once with OpenVPN server and got stucked on the same page. Try to sort out what can be wrong on your NAT or what you are missing.
 
@n3tb0yj: I think you might be correct. The BIND daemon is receiving DNS requests from the client tunnel address of 192.168.6.1. I would have thought the kernel NAT would have translated that. It appears the gateway can ping the client using the tunnel address but not its public address. The client can ping the gateway at both its public and internal NAT address.

I don't see how the client will reach the outside world if its source address remains like that.
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top