3

I believe I've followed all the instructions, and my win 7 did get connected, but there's no Internet.

Background:

Server OS: ubuntu 12.04 on linode xen VPS

strongSwan Version: 4.6.4

configurations in /etc/ipsec.conf :

config setup
        charonstart=yes      
        plutostart=yes     
        nat_traversal=yes
        uniqueids=yes

conn ios
        keyexchange=ikev1
        authby=xauthpsk
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        right=%any
        rightsubnet=10.11.0.0/24
        rightsourceip=10.11.0.0/24
        pfs=no
        auto=add

conn win7         
        keyexchange=ikev2
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftauth=pubkey
        leftcert=serverCert.pem
        leftid="C=CH, O=strongSwan, CN=VPS ip"
        right=%any
        rightsourceip=10.11.1.0/24
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any
        auto=add

added dns in /etc/strongswan.conf :

charon {
dns1 = 8.8.8.8
dns2 = 208.67.222.222
...
pluto {
dns1 = 8.8.8.8
dns2 = 208.67.222.222
...

added user in /etc/ipsec.secrets :

: PSK "mypskpass"
user1 : XAUTH "pass1"

: RSA serverKey.pem
user2 : EAP "pass2"

#include /var/lib/strongswan/ipsec.secrets.inc

added some new rules in /etc/iptables.firewall.rules

*filter
# Accept IPsec VPN connections
-A INPUT -p udp --dport 500 -j ACCEPT
-A INPUT -p udp --dport 4500 -j ACCEPT

-A FORWARD -s 10.11.0.0/24 -j ACCEPT
-A FORWARD -s 10.11.1.0/24 -j ACCEPT
COMMIT
*nat

# Allow IPsec VPN connections

-A POSTROUTING -s 10.11.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.11.1.0/24 -o eth0 -j MASQUERADE

COMMIT

And activated iptables rules:

iptables-restore < /etc/iptables.firewall.rules

Then restarted ipsec:

ipsec restart

Till this point, my iOS devices can connect to it and everything works all right.

After that I generated certificates for both server and client side, then converted .pem into .p12 and imported it into win 7.

The good part is that my win 7 can now connect to the vps(, but there's no internet connection.

I really don't know which part went wrong, would anybody please help me out?

Thanks

Improve this question
6
  • How is the routing setup after the VPN is established?
    – Hennes
    Commented Apr 17, 2013 at 13:09
  • @Hennes: What do you mean by routing setup? Win 7 did get assigned with 10.11.1.1 as expected, and also dns is correct, but I guess there could be some kind of NAT problem, just don't know how to correctly configure it.
    – Shane
    Commented Apr 17, 2013 at 13:26
  • I wondered if all your traffic now gets routed via the VPN to the other endpoint of the VPN tunnel. It that is the case then you need to check the IP forwarding rules on that endpoint, or enable split tunneling.
    – Hennes
    Commented Apr 17, 2013 at 13:32
  • @Hennes: Well when I'm testing win 7 there's no other client/devices are online, so I don't really get what you mean by "gets routed via the VPN to other endpoint of the VPN tunnel". And also I set the exact same iptables rules for iOS and win 7 devices, only authentication methods are different, just don't see why it's not working for win 7.
    – Shane
    Commented Apr 17, 2013 at 14:09
  • Is there any difference in the NAT situation between iOS and Windows 7 clients? Are the above all your iptables rules? What's the default policy of your iptables chains?
    – ecdsa
    Commented Apr 17, 2013 at 15:10

1 Answer 1

Reset to default
3

You've configured leftfirewall=yes in your iOS connection but not in the other. With this option enabled additional firewall rules are installed for each connected client. Also, if there is no NAT between the gateway and the clients you'll have to allow ESP traffic in the INPUT and OUTPUT chains as traffic won't be UDP encapsulated.

-A INPUT  -i eth0 -p esp -j ACCEPT
-A OUTPUT -o eth0 -p esp -j ACCEPT
Improve this answer
1
  • Thanks a lot, mate! I just added leftfirewall=yes into win 7 connection settings and now everything works all right!
    – Shane
    Commented Apr 17, 2013 at 16:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .