1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trying to get IPSec working on Shibby 102 AIO

Discussion in 'Tomato Firmware' started by Christian SE, Dec 16, 2012.

  1. Christian SE

    Christian SE Serious Server Member

    Hi,

    I have tried to setup an IPSec VPN server with Strongswan on my RT-N16 to be able to connect to my home network from my iPad via a VPN tunnel. I am able to successfully connect to the VPN server from my iPad, but when connected, I can't reach any IP:s on my internal network (or on the Internet at all).

    Any help with troubleshooting this problem would be really appreciated.

    What I have done is basically to:

    * Flash my router with Shibby build 102 (AIO)
    * Download Strongswan 5 packages via entware
    * Set up Strongswan and certificates according to iOS howto on strongswan.org
    * Manually load IPSec kernel modules (except ipv6 related)
    * Manually start IPSec
    * Allow incoming traffic on udp port 500/4500 with iptables


    Result:

    My iPad can successfully connect to the VPN
    I can ping my iPad (192.168.9.30) from my router (192.168.9.1)
    I CAN'T ping my iPad from any other computer on my network (192.168.9.0/24)
    I CAN'T ping my router or any other IP on my network from my iPad when connected via VPN
    I am unable to reach both internal and external (Internet) resources from my iPad when connected via VPN
    I have turned on logging of dropped incoming/outgoing packages on the router, but no packages are being dropped by the firewall.


    Thought it might be a routing or NAT issue, but not sure where to start. Tried a lot of different iptables configurations but no luck so far.

    Some background info:

    The router is connected to the Internet with a fixed IP address
    My internal network is 192.168.9.0/24
    All my computers on the internal network are assigned static IP addresses via DHCP, based on MAC address
    Apart from that, I use more or less a standard setup with default settings in Tomato for firewall, routing, VLAN etc.
    My iPad is connected to the Internet via 3G. My ISP seems to use NAT as I am assigned a different IP address than I get with whatismyip.com.


    ipsec.conf:

    conn ios
    keyexchange=ikev1
    authby=xauthrsasig
    xauth=server
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    leftcert=******** (masked)
    right=%any
    rightsourceip=192.168.9.30
    rightid="***********" (masked)
    auto=add


    Firewall rules:

    iptables -I INPUT -p udp —dport 500 -j ACCEPT
    iptables -I INPUT -p 50 -j ACCEPT
    iptables -I INPUT -p udp —dport 4500 -j ACCEPT
    iptables -I OUTPUT -d 0.0.0.0/0 -p udp —dport 500 -j ACCEPT
    iptables -I OUTPUT -d 0.0.0.0/0 -p 50 -j ACCEPT
    iptables -I OUTPUT -d 0.0.0.0/0 -p udp —dport 4500 -j ACCEPT
     
  2. Christian SE

    Christian SE Serious Server Member

    Still no success... Trying to figure out if my problem might be related to a missing ipsec/iptables plugin and/or how tomatousb handles iptables and that this somehow prevents nat traversal or routing from working correctly.

    After starting strongswan, I can see in the log that the following modules are loaded:

    Code:
    loaded plugins: charon test-vectors pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
    However, there are also some error messages related to plugins that can't be loaded:

    Code:
    plugin 'curl' failed to load: File not found
    plugin 'ldap' failed to load: File not found
    plugin 'mysql' failed to load: File not found
    plugin 'sqlite' failed to load: File not found
    opening AF_ALG socket failed: Address family not supported by protocol
    plugin 'agent' failed to load: File not found
    plugin 'cmac' failed to load: File not found
    plugin 'ctr' failed to load: File not found
    plugin 'ccm' failed to load: File not found
    plugin 'gcm' failed to load: File not found
    plugin 'attr-sql' failed to load: File not found
    plugin 'load-tester' failed to load: File not found
    plugin 'kernel-pfkey' failed to load: File not found
    plugin 'kernel-klips' failed to load: File not found
    plugin 'socket-raw' failed to load: File not found
    plugin 'socket-dynamic' failed to load: File not found
    plugin 'farp' failed to load: File not found
    plugin 'smp' failed to load: File not found
    plugin 'sql' failed to load: File not found
    plugin 'eap-identity' failed to load: File not found
    plugin 'eap-md5' failed to load: File not found
    plugin 'eap-mschapv2' failed to load: File not found
    plugin 'xauth-eap' failed to load: File not found
    plugin 'dhcp' failed to load: File not found
    plugin 'ha' failed to load: File not found
    plugin 'whitelist' failed to load: File not found
    plugin 'led' failed to load: File not found
    plugin 'duplicheck' failed to load: File not found
    plugin 'coupling' failed to load: File not found
    plugin 'addrblock' failed to load: File not found
    Not sure if any of these missing plugins are critical for my setup or not...

    Then, the iptables configuration in tomatousb confuses me...
    When checking iptables with iptables -nvL I get the following result:
    Code:
    Chain INPUT (policy DROP 29 packets, 856 bytes)
    pkts bytes target    prot opt in    out    source              destination     
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:4500
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:500
        1    44 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
      466 98332 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        2  183 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0       
      143 10040 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0       
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination     
    1789  996K            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.9.0/255.255.255.0 name: lan
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0       
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
      154  9152 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    1712  991K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0       
      77  4620 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0       
      77  4620 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0       
     
    Chain OUTPUT (policy ACCEPT 702 packets, 327K bytes)
    pkts bytes target    prot opt in    out    source              destination     
     
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination     
     
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination
    
    Not sure how these wanin/wanout chains etc. are supposed to work, but when running iptables -nvL -t nat, I get this result:
    Code:
    Chain PREROUTING (policy ACCEPT 474 packets, 73403 bytes)
    pkts bytes target    prot opt in    out    source              destination     
        2  100 WANPREROUTING  all  --  *      *      0.0.0.0/0            [**MY_EXTERNAL_IP**]     
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.9.0/24   
     
    Chain POSTROUTING (policy ACCEPT 2 packets, 183 bytes)
    pkts bytes target    prot opt in    out    source              destination     
      155  9698 MASQUERADE  all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0       
        0    0 SNAT      all  --  *      br0    192.168.9.0/24      192.168.9.0/24      to:192.168.9.1
     
    Chain OUTPUT (policy ACCEPT 80 packets, 5261 bytes)
    pkts bytes target    prot opt in    out    source              destination     
     
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination     
        0    0 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.9.1
    
    I thought that maybe I need to the following ipsec policy in iptables:
    iptables -t nat -I POSTROUTING 1 -o vlan2 -m policy --dir out --pol ipsec -j ACCEPT

    But it only gives the following result:
    Code:
    iptables: No chain/target/match by that name
    Am I not supposed to be able to add iptables ipsec policies to allow ipsec traffic?
     
  3. koitsu

    koitsu Network Guru Member

    The error in question is almost certainly because there is no policy kernel module loaded (which is what you're saying with -m policy). No such module is built/installed, at least on Toastman builds (I do not use the VPN build) -- I looked via find / -name "*policy*" -ls and found nothing relevant (normally it would be under /lib/modules somewhere).

    iptables is notorious for spitting out error messages that do not tell you truly what's going on.
     
  4. Christian SE

    Christian SE Serious Server Member

    I found the following module and could verify with modprobe that it was loaded as well:
    /lib/modules/2.6.22.19/kernel/net/netfilter/xt_policy.ko

    I guess this is the same as the CONFIG_NETFILTER_XT_MATCH_POLICY module refered to in the prerequisites for Strongswan on this page:
    http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules

    However, they also list the following module as required, which seems to be related to policy routing:
    IP: policy routing [CONFIG_IP_MULTIPLE_TABLES]

    I don't know the file name of this module, but when I browse through the list from modprobe, I can't find anything that indicates that this module is loaded. I've checked the extras.tar.gz and opkg as well, but can't find a corresponding kernel module to load.

    When checking the following thread that seems to reflect the process of implementing IPSec support in Shibby builds, it seems like the CONFIG_IP_MULTIPLE_TABLES option was never included.
    http://tomatousb.org/forum/t-542268

    How can I check if this is included in my current kernel or manually add It if needed? Is my only option to manually compile the kernel and include it?
     
  5. koitsu

    koitsu Network Guru Member

    modprobe doesn't tell you "what's loaded" (I'm assuming you're referring to modprobe -l) -- lsmod tells you "what's loaded". You can try doing modprobe xt_policy and then lsmod and see if the module is loaded.

    CONFIG_IP_MULTIPLE_TABLES doesn't sound like it's a module at all -- it sounds like it's a hard-coded feature of some sort within the kernel, if enabled. You can review the kernel configuration file yourself to find out if that's the case by pulling down the source code and looking at the config yourself. If it's not enabled, yep, you'll need to build a firmware yourself or ask Shibby nicely. This is something I wrote a few months ago when dealing with the Tomato series of firmwares and just recently posted:

    http://koitsu.wordpress.com/2012/12/21/instructions-for-building-tomatousb-toastman-rt-n-firmwares/

    Good luck.
     
  6. Christian SE

    Christian SE Serious Server Member

    Ah, seems like I misunderstood the use of modprobe. When checking with lsmod, I can see that xt_policy is in the list, so it seems to be loaded, after all.

    Seems like I have to build my first Linux kernel to make sure all features needed for IPSec are enabled. Thanks a lot for your help and for providing an excellent instruction on how to do that. I had some thoughts about going in this direction a few weeks ago, but I am a novice in this area and couldn't find any good instructions.

    But it's strange... As IPSec support is claimed to be included in Shibby builds (VPN and AIO) since August or something and I have seen a few forum posts where people say that they have set it up successfully (however, without any detailed instructions on how they did it), I am confused why not all features needed would be included in the Shibby builds.

    Maybe it's because Strongswan now is version 5, where some things have been changed, especially related to how routing and filtering are supposed to be handled? As I have understood it, in earlier versions of Strongswan your IPSec connection was available as an interface (similar to eth0 etc...) in iptables, which made it easy to set up rules that allowed and routed the IPSec traffic. In Strongswan 5, I think this is no longer possible and you have to use policy based rules instead. I also think there are differences in how NAT traversal is handled (I think it is supposed to be included as a kernel feature) which might be relevant for a majority of scenarios where a tomatousb router is used.

    Not sure if any of this is the cause of my problems with IPSec. In general there seems to be almost no documentation available (even on strongswan.org) on how to configure Strongswan 5 and iptables, when you have a scenario where a road warrior (in my case, an iPad) should connect to a network behind a router with NAT and non-public ip addresses on the internal network and where the iPad might also be behind a NAT. I have tried to follow the instructions on http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
    The way tomatousb uses iptables (some "non-standard" chains, the use of vlans instead of standard interfaces etc.) also make it harder to know if everything is set up correctly in relation to the instructions on strongswan.org.

    Hopefully I will be able to make this work in some way so I could create a tutorial on how to set up an IPSec server in tomatousb, but my experience with advanced networking in Linux and the inner workings of tomatousb is very limited, so all help is really appreciated.
     

Share This Page