StrongSwan(optware) on Asus RT-AC66U (merlin build)-can't access LAN IPs

[Lukapple]

Hi.
I've successfully installed StrongSwan 5.0.4 IPsec server on my Asus RT-AC66U Firmware:3.0.0.4.374.34_2 (Merlin build), followed tutorial on:
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)

I can connect to vpn server with my iPhone, using Cisco IPsec, but problem is that I can't access any of my home LAN IPs.
Here is strong swan log file(removed IPs)

Router firewall is temporary disabled.
I probably need to add some iptables routes or something ?

Can someone tell me what should I put for left/right subnet and left/right ip ?
Here is my config:

Ipsec.conf file:

conn ios                                              
       keyexchange=ikev1                              
       authby=xauthrsasig                             
       xauth=server                                   
       left=%defaultroute                             
       #left=%any                                     
       leftfirewall=yes                               
       leftsubnet=0.0.0.0/0                           
       #leftsubnet=192.168.2.0/24                     
       leftcert=server.pem                    
       right=%any                                     
       rightsubnet=10.0.0.0/24                        
       #rightsubnet=192.168.2.0/24                    
       rightsourceip=10.0.0.2                         
       #rightsourceip=%dhcp                           
       rightcert=client.pem                   
       #forceencaps=yes                               
       auto=add

strongswan.conf file:

charon {

        # number of worker threads in charon
        threads = 16

        dns1 = 192.168.2.1

        plugins {
                dhcp {
                      server = 192.168.2.1
                }

        }
 }

ipsec statusall command:

ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
  uptime: 27 minutes, since Nov 06 22:32:15 2013
  malloc: sbrk 225280, mmap 0, used 201584, free 23696
  worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Virtual IP pools (size/online/offline):
  10.0.0.2: 1/1/0
Listening IP addresses:
  <wan.ip.removed>
  192.168.2.1
  10.8.2.1
  10.8.0.6
Connections:
         ios:  %any...%any  IKEv1
         ios:   local:  [C=CA,... <removed>] uses public key authentication
         ios:    cert:  "C=CA,... <removed>"
         ios:   remote: [C=CA, ... <removed>] uses public key authentication
         ios:    cert:  "C=CA,... <removed>"
         ios:   remote: uses XAuth authentication: any
         ios:   child:  0.0.0.0/0 === 10.0.0.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
         ios[4]: ESTABLISHED 23 seconds ago, <wan.ip.removed>[C=CA,... <removed>]...<iphone.wan.ip.removed>[C=CA,... <removed>]
         ios[4]: Remote XAuth identity: <removed>
         ios[4]: IKEv1 SPIs: 884d6e82b7e59a56_i a4cea15bd0aeff20_r*, public key reauthentication in 2 hours
         ios[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
         ios{2}:  INSTALLED, TUNNEL, ESP SPIs: c5177fea_i 070a1d6b_o
         ios{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes
         ios{2}:   0.0.0.0/0 === 10.0.0.2/32

Some other info:

iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1194 
VSERVER    all  --  anywhere             cpe-86-<removed>

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.2.0/24       anywhere            
MASQUERADE  all  -- !cpe-86-<removed>  anywhere            
MASQUERADE  all  --  anywhere             anywhere            MARK match 0xd001 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain LOCALSRV (0 references)
target     prot opt source               destination         

Chain VSERVER (1 references)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere            tcp dpt:1184 to:192.168.2.100:1194 
DNAT       udp  --  anywhere             anywhere            udp dpt:1184 to:192.168.2.100:1194 
VUPNP      all  --  anywhere             anywhere            

Chain VUPNP (1 references)
target     prot opt source               destination         

Chain YADNS (0 references)
target     prot opt source               destination

netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.5        *               255.255.255.255 UH        0 0          0 tun11
10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0 tun11
10.8.2.2        *               255.255.255.255 UH        0 0          0 tun21
86.58.119.1     *               255.255.255.255 UH        0 0          0 eth0
86.58.119.0     *               255.255.255.0   U         0 0          0 eth0
10.8.2.0        10.8.2.2        255.255.255.0   UG        0 0          0 tun21
192.168.2.0     *               255.255.255.0   U         0 0          0 br0
192.168.1.0     10.8.0.5        255.255.255.0   UG        0 0          0 tun11
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
default         <removed> 0.0.0.0         UG        0 0          0 eth0

(ignore that tunnel to 192.168.1.0)

What should I do to make that tunnel work ?

(see attached diagram)

 

[Lukapple]

Some strongswan guru suggested me to check this site:
http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

It says that you gotta have ip_forward enabled.
However, I can't find sysctl command on my router.
But following is probably the same:
cat /proc/sys/net/ipv4/ip_forward
1
(assuming that 1 means enabled)

For accessing Hosts on the LAN I've tried following situation(from the link above):
The virtual IPs are from the subnet behind the gateway: In this situation either the dhcp plugin is used or the
gateway assigns virtual IP addresses from a subnet of the whole LAN behind the gateway (distinct from the IP addresses
assigned via DHCP to other LAN hosts). If that is the case, the farp plugin must be used so that the hosts behind the
gateway may learn that they have to send response packets to the VPN gateway.


So I've used dhcp to assign ip to client
strongswan.conf:
...
rightsourceip=%dhcp
...

And client(iPhone) got address from the LAN subnet, 192.168.2.24.

Farp plugin was also enabled - I can see it listed on "Loaded plugins:" when I execute "ipsec statusall" command.
But then I got error on my client(iphone): Negotiation with the VPN server failed.

Nov 7 09:05:46 13[NET] received packet: from <client.wan.ip.removed>[4500] to <wan.ip.was.removed>[4500] (300 bytes)
Nov 7 09:05:46 13[IKE] received retransmit of request with ID 1882702626, but no response to retransmit

Next thing I've tried is to load farp and other plugins by hand.
I've added following line to strongswan.conf:
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve attr farp xauth-generic

I still get that error on my client (iPhone)Negotiation with the VPN server failed but if I check charon logs, it looks like it connects and then immediately disconnects from vpn.
Here are interesting lines from log file:

...
Nov  7 10:31:12 14[CFG]   id '<server.wan.ip>' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'
...
Nov  7 10:31:12 14[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'
...
Nov  7 10:31:12 14[CFG] left is other host, swapping ends
...
Nov  7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
...
Nov  7 10:13:56 05[IKE] remote host is behind NAT
...
Nov  7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful
...
Nov  7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING => ESTABLISHED
...
Nov  7 10:13:57 12[IKE] peer requested virtual IP %any
Nov  7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'
...
Nov  7 10:14:13 05[ENC] parsing HASH_V1 payload finished
Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left
...
Nov  7 10:14:13 05[ENC] parsing DELETE_V1 payload finished
...
Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED => DELETING
Nov  7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]
Nov  7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING => DESTROYING
Nov  7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful
Nov  7 10:14:13 02[NET] waiting for data on sockets
Nov  7 10:14:25 15[JOB] got event, queuing job for execution
Nov  7 10:14:25 15[JOB] next event in 9732s 760ms, waiting
Nov  7 10:14:25 06[MGR] checkout IKE_SA

Should I put something else instead of "right=%any" ?