[Suche] Empfehlung für Router mit Kabel Deutschland unter openWRT

kls

iptables -nvL

Code

root@cougar:/tmp# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1655  268K delegate_input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
47015   25M delegate_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1322  317K delegate_output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain delegate_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
47015   25M forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
46352   25M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  663 42593 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_forward  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain delegate_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   340 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1651  268K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
 1335  221K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   11   572 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
  199 14411 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
  117 31979 zone_wan_input  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           


Chain delegate_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   340 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 1318  316K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
 1187  304K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    8  4017 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
  123  8675 zone_wan_output  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           


Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_vpn_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec ctstate NEW


Chain forwarding_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain input_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec ctstate NEW


Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain output_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination         
   18  1198 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
   16   941 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable


Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   11   572 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_lan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    8  4017 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           


Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  663 42593 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
  663 42593 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding lan -> vpn */
  663 42593 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding lan -> wan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  199 14411 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
  199 14411 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8  4017 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    8  4017 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  199 14411 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           


Chain zone_vpn_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain zone_vpn_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding vpn -> lan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_vpn_input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
    0     0 zone_vpn_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_vpn_output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_vpn_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  786 51268 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           


Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           


Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  117 31979 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
   83 29840 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
   34  2139 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  123  8675 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
  123  8675 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   34  2139 reject     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Alles anzeigen

kls

Zitat von ATD

Hast Du was auf racoon geändert, bzw. besteht die Möglichkeit racoon neu zu starten? Wer weiß, ob auf der Gegenseite etwas klemmt.

Auf racoon ist alles unverändert. Neu starten würde ich den ungern.

Klaus

ATD

Da stimmt schon was nicht! Ich kann keinen Eintrag auf racoon erkennen!

In /etc/config/firewall ist bei der zone vpn der Eintrag der IP Adresse von racoon Pflicht. Ob nur die Adresse oder als Subnet, das müsstest Du selbst ausprobieren. Ohne das kann kein Forwarding funktionieren.

In der /etc/ipsec.conf gilt dasselbe, damit strongSwan weiß, was verschlüsselt werden soll.

Ausschnitt iptables -nvL.

Code

Chain delegate_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 zone_vpn_forward  all  --  *      *       192.168.8.0/24       0.0.0.0/0
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_forward  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain delegate_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   22  2018 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  357 45195 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
  221 20084 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    6   332 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
   25  1932 zone_vpn_input  all  --  *      *       192.168.8.0/24       0.0.0.0/0
   79 18859 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
   32  4320 zone_wan_input  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_input  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0


Chain delegate_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
   22  2018 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
  267 27406 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
  126 16790 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   25  1872 zone_vpn_output  all  --  *      *       0.0.0.0/0            192.168.8.0/24
    1    40 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
  115  8704 zone_wan_output  all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_output  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0


Chain zone_vpn_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination
   25  1872 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.8.0/24


Chain zone_vpn_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   25  1932 ACCEPT     all  --  *      *       192.168.8.0/24       0.0.0.0/0

Alles anzeigen

Albert

kls

Sorry, da hatte ich wohl wieder die subnet Zeile auskommentiert (wenn die aktiv ist bekomme ich keine Verbindung zu racoon und damit kann ich auch meine Emails nicht erreichen).

Hier nochmal *mit* dieser Zeile:

iptables -nvL

Code

root@cougar:/etc# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  113 13602 delegate_input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    9   756 delegate_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   93 19445 delegate_output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain delegate_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   756 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 zone_vpn_forward  all  --  *      *       88.198.76.220        0.0.0.0/0           
    0     0 zone_vpn_forward  all  --  *      *       192.168.100.0/24     0.0.0.0/0           
    9   756 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_forward  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain delegate_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   520 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  105 13082 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
   90  5646 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
   15  7436 zone_vpn_input  all  --  *      *       88.198.76.220        0.0.0.0/0           
    0     0 zone_vpn_input  all  --  *      *       192.168.100.0/24     0.0.0.0/0           
    0     0 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_input  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           


Chain delegate_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   520 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
   85 18925 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
   74 15383 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    5  1244 zone_vpn_output  all  --  *      *       0.0.0.0/0            88.198.76.220       
    2  1392 zone_vpn_output  all  --  *      *       0.0.0.0/0            192.168.100.0/24    
    2   784 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
    2   122 zone_wan_output  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           


Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_vpn_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec ctstate NEW


Chain forwarding_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain input_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec ctstate NEW


Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain output_vpn_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         


Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable


Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_lan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   784 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           


Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   756 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    9   756 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding lan -> vpn */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding lan -> wan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
    0     0 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   784 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    2   784 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           


Chain zone_vpn_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
   14  2000 ACCEPT     all  --  *      *       0.0.0.0/0            88.198.76.220       
    2  1392 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.100.0/24    


Chain zone_vpn_forward (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding vpn -> lan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_vpn_input (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   15  7436 input_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
   15  7436 zone_vpn_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_vpn_output (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    7  2636 output_vpn_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    7  2636 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_vpn_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   15  7436 ACCEPT     all  --  *      *       88.198.76.220        0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       192.168.100.0/24     0.0.0.0/0           


Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   122 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           


Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           


Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
    0     0 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   122 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    2   122 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           


Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Alles anzeigen

ATD

Abgeglichen, sieht gut aus. Entferne testweise in der /etc/config/firewall den IP Subnet von panther, also nur noch option subnet '88.xxx.xxx.220/32' und FW restart.

Albert

kls

Verhalten unverändert.

Nachdem es ja mit genau diesen Konfigurationsdateien auf dem alten System funktioniert hat, muß wohl noch irgend ein Paket bei mir fehlen, das bei dir installiert ist. Anders kann ich mir das einfach nicht vorstellen.
Vielleicht sollten wir das mal abgleichen.

opkg list_installed

base-files - 157-r46767
busybox - 1.23.2-1
diffutils - 3.3-1
dnsmasq - 2.73-1
dropbear - 2015.67-1
firewall - 2015-07-27
fstools - 2015-05-24-09027fc86babc3986027a0e677aca1b6999a9e14
hostapd-common - 2015-03-25-1
ip - 4.0.0-1
ip6tables - 1.4.21-1
ipset - 6.24-1
iptables - 1.4.21-1
iptables-mod-ipsec - 1.4.21-1
iw - 3.17-1
jshn - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
jsonfilter - 2014-06-19-cdc760c58077f44fc40adbbe41e1556a67c1b9a9
kernel - 3.18.20-1-7bed08fa9c06eb8089e82c200340ec66
kmod-ath - 3.18.20+2015-03-09-3
kmod-ath10k - 3.18.20+2015-03-09-3
kmod-ath9k - 3.18.20+2015-03-09-3
kmod-ath9k-common - 3.18.20+2015-03-09-3
kmod-cfg80211 - 3.18.20+2015-03-09-3
kmod-crypto-aead - 3.18.20-1
kmod-crypto-aes - 3.18.20-1
kmod-crypto-arc4 - 3.18.20-1
kmod-crypto-authenc - 3.18.20-1
kmod-crypto-cbc - 3.18.20-1
kmod-crypto-core - 3.18.20-1
kmod-crypto-deflate - 3.18.20-1
kmod-crypto-des - 3.18.20-1
kmod-crypto-hash - 3.18.20-1
kmod-crypto-hmac - 3.18.20-1
kmod-crypto-iv - 3.18.20-1
kmod-crypto-manager - 3.18.20-1
kmod-crypto-md5 - 3.18.20-1
kmod-crypto-pcompress - 3.18.20-1
kmod-crypto-rng - 3.18.20-1
kmod-crypto-sha1 - 3.18.20-1
kmod-crypto-wq - 3.18.20-1
kmod-gpio-button-hotplug - 3.18.20-1
kmod-ip6tables - 3.18.20-1
kmod-ipsec - 3.18.20-1
kmod-ipsec4 - 3.18.20-1
kmod-ipsec6 - 3.18.20-1
kmod-ipt-conntrack - 3.18.20-1
kmod-ipt-core - 3.18.20-1
kmod-ipt-ipsec - 3.18.20-1
kmod-ipt-ipset - 3.18.20-1
kmod-ipt-nat - 3.18.20-1
kmod-iptunnel4 - 3.18.20-1
kmod-iptunnel6 - 3.18.20-1
kmod-ipv6 - 3.18.20-1
kmod-ledtrig-usbdev - 3.18.20-1
kmod-lib-crc-ccitt - 3.18.20-1
kmod-lib-zlib - 3.18.20-1
kmod-mac80211 - 3.18.20+2015-03-09-3
kmod-nf-conntrack - 3.18.20-1
kmod-nf-conntrack6 - 3.18.20-1
kmod-nf-ipt - 3.18.20-1
kmod-nf-ipt6 - 3.18.20-1
kmod-nf-nat - 3.18.20-1
kmod-nf-nathelper - 3.18.20-1
kmod-nfnetlink - 3.18.20-1
kmod-nls-base - 3.18.20-1
kmod-ppp - 3.18.20-1
kmod-pppoe - 3.18.20-1
kmod-pppox - 3.18.20-1
kmod-slhc - 3.18.20-1
kmod-usb-core - 3.18.20-1
kmod-usb2 - 3.18.20-1
libblobmsg-json - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
libc - 0.9.33.2-1
libgcc - 4.8-linaro-1
libgmp - 6.0.0-1
libip4tc - 1.4.21-1
libip6tc - 1.4.21-1
libiwinfo - 2015-06-01-ade8b1b299cbd5748db1acf80dd3e9f567938371
libiwinfo-lua - 2015-06-01-ade8b1b299cbd5748db1acf80dd3e9f567938371
libjson-c - 0.12-1
libjson-script - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
liblua - 5.1.5-1
libmnl - 1.0.3-2
libnl-tiny - 0.1-4
libpthread - 0.9.33.2-1
libubox - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
libubus - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
libubus-lua - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
libuci - 2015-04-09.1-1
libuci-lua - 2015-04-09.1-1
libxtables - 1.4.21-1
lua - 5.1.5-1
luci - git-15.248.30277-3836b45-1
luci-app-firewall - git-15.248.30277-3836b45-1
luci-base - git-15.248.30277-3836b45-1
luci-lib-ip - git-15.248.30277-3836b45-1
luci-lib-nixio - git-15.248.30277-3836b45-1
luci-mod-admin-full - git-15.248.30277-3836b45-1
luci-proto-ipv6 - git-15.248.30277-3836b45-1
luci-proto-ppp - git-15.248.30277-3836b45-1
luci-theme-bootstrap - git-15.248.30277-3836b45-1
mtd - 21
netifd - 2015-06-08-8795f9ef89626cd658f615c78c6a17e990c0dcaa
odhcp6c - 2015-07-13-024525798c5f6aba3af9b2ef7b3af2f3c14f1db8
odhcpd - 2015-05-21-2ebf6c8216287983779c8ec6597d30893b914a7c
opkg - 9c97d5ecd795709c8584e972bfdf3aee3a5b846d-7
ppp - 2.4.7-6
ppp-mod-pppoe - 2.4.7-6
procd - 2015-08-16-0da5bf2ff222d1a499172a6e09507388676b5a08
rpcd - 2015-05-17-3d655417ab44d93aad56a6d4a668daf24b127b84
strongswan - 5.3.3-1
strongswan-charon - 5.3.3-1
strongswan-default - 5.3.3-1
strongswan-mod-aes - 5.3.3-1
strongswan-mod-attr - 5.3.3-1
strongswan-mod-constraints - 5.3.3-1
strongswan-mod-des - 5.3.3-1
strongswan-mod-dnskey - 5.3.3-1
strongswan-mod-fips-prf - 5.3.3-1
strongswan-mod-gmp - 5.3.3-1
strongswan-mod-hmac - 5.3.3-1
strongswan-mod-kernel-netlink - 5.3.3-1
strongswan-mod-md5 - 5.3.3-1
strongswan-mod-nonce - 5.3.3-1
strongswan-mod-pem - 5.3.3-1
strongswan-mod-pgp - 5.3.3-1
strongswan-mod-pkcs1 - 5.3.3-1
strongswan-mod-pubkey - 5.3.3-1
strongswan-mod-random - 5.3.3-1
strongswan-mod-rc2 - 5.3.3-1
strongswan-mod-resolve - 5.3.3-1
strongswan-mod-revocation - 5.3.3-1
strongswan-mod-sha1 - 5.3.3-1
strongswan-mod-sha2 - 5.3.3-1
strongswan-mod-socket-default - 5.3.3-1
strongswan-mod-sshkey - 5.3.3-1
strongswan-mod-stroke - 5.3.3-1
strongswan-mod-updown - 5.3.3-1
strongswan-mod-x509 - 5.3.3-1
strongswan-mod-xauth-generic - 5.3.3-1
strongswan-mod-xcbc - 5.3.3-1
strongswan-utils - 5.3.3-1
swconfig - 10
uboot-envtools - 2014.10-2
ubox - 2015-07-14-907d046c8929fb74e5a3502a9498198695e62ad8
ubus - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
ubusd - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
uci - 2015-04-09.1-1
uhttpd - 2015-08-17-f91788b809d9726126e9cf4384fedbbb0c5b8a73
uhttpd-mod-ubus - 2015-08-17-f91788b809d9726126e9cf4384fedbbb0c5b8a73
usign - 2015-05-08-cf8dcdb8a4e874c77f3e9a8e9b643e8c17b19131
wpad-mini - 2015-03-25-1

Klaus

ATD

opkg list_installed

Code

root@OpenWrt:~# opkg list_installed
base-files - 157-r46767
busybox - 1.23.2-1
dnsmasq - 2.73-1
dropbear - 2015.67-1
firewall - 2015-07-27
fstools - 2015-05-24-09027fc86babc3986027a0e677aca1b6999a9e14
ip - 4.0.0-1
ip6tables - 1.4.21-1
ipset - 6.24-1
iptables - 1.4.21-1
iptables-mod-ipsec - 1.4.21-1
jshn - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
jsonfilter - 2014-06-19-cdc760c58077f44fc40adbbe41e1556a67c1b9a9
kernel - 3.18.20-1-30da46d39f906146155850351fa0acd9
kmod-crypto-aead - 3.18.20-1
kmod-crypto-authenc - 3.18.20-1
kmod-crypto-cbc - 3.18.20-1
kmod-crypto-core - 3.18.20-1
kmod-crypto-deflate - 3.18.20-1
kmod-crypto-des - 3.18.20-1
kmod-crypto-hash - 3.18.20-1
kmod-crypto-hmac - 3.18.20-1
kmod-crypto-iv - 3.18.20-1
kmod-crypto-manager - 3.18.20-1
kmod-crypto-md5 - 3.18.20-1
kmod-crypto-pcompress - 3.18.20-1
kmod-crypto-rng - 3.18.20-1
kmod-crypto-sha1 - 3.18.20-1
kmod-crypto-wq - 3.18.20-1
kmod-e1000 - 3.18.20-1
kmod-e1000e - 3.18.20-1
kmod-ip6tables - 3.18.20-1
kmod-ipsec - 3.18.20-1
kmod-ipsec4 - 3.18.20-1
kmod-ipsec6 - 3.18.20-1
kmod-ipt-conntrack - 3.18.20-1
kmod-ipt-core - 3.18.20-1
kmod-ipt-ipsec - 3.18.20-1
kmod-ipt-ipset - 3.18.20-1
kmod-ipt-nat - 3.18.20-1
kmod-iptunnel4 - 3.18.20-1
kmod-iptunnel6 - 3.18.20-1
kmod-ipv6 - 3.18.20-1
kmod-lib-crc-ccitt - 3.18.20-1
kmod-lib-zlib - 3.18.20-1
kmod-mii - 3.18.20-1
kmod-nf-conntrack - 3.18.20-1
kmod-nf-conntrack6 - 3.18.20-1
kmod-nf-ipt - 3.18.20-1
kmod-nf-ipt6 - 3.18.20-1
kmod-nf-nat - 3.18.20-1
kmod-nf-nathelper - 3.18.20-1
kmod-nfnetlink - 3.18.20-1
kmod-ppp - 3.18.20-1
kmod-pppoe - 3.18.20-1
kmod-pppox - 3.18.20-1
kmod-pps - 3.18.20-1
kmod-ptp - 3.18.20-1
kmod-r8169 - 3.18.20-1
kmod-slhc - 3.18.20-1
libblobmsg-json - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
libc - 0.9.33.2-1
libgcc - 4.8-linaro-1
libgmp - 6.0.0-1
libip4tc - 1.4.21-1
libip6tc - 1.4.21-1
libiwinfo - 2015-06-01-ade8b1b299cbd5748db1acf80dd3e9f567938371
libiwinfo-lua - 2015-06-01-ade8b1b299cbd5748db1acf80dd3e9f567938371
libjson-c - 0.12-1
libjson-script - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
liblua - 5.1.5-1
libmnl - 1.0.3-2
libnl-tiny - 0.1-4
libpthread - 0.9.33.2-1
libubox - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
libubus - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
libubus-lua - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
libuci - 2015-04-09.1-1
libuci-lua - 2015-04-09.1-1
libxtables - 1.4.21-1
lua - 5.1.5-1
luci - git-15.245.46763-b179283-1
luci-app-firewall - git-15.245.46763-b179283-1
luci-base - git-15.245.46763-b179283-1
luci-lib-ip - git-15.245.46763-b179283-1
luci-lib-nixio - git-15.245.46763-b179283-1
luci-mod-admin-full - git-15.245.46763-b179283-1
luci-proto-ipv6 - git-15.245.46763-b179283-1
luci-proto-ppp - git-15.245.46763-b179283-1
luci-theme-bootstrap - git-15.245.46763-b179283-1
mtd - 21
netifd - 2015-06-08-8795f9ef89626cd658f615c78c6a17e990c0dcaa
odhcp6c - 2015-07-13-024525798c5f6aba3af9b2ef7b3af2f3c14f1db8
odhcpd - 2015-05-21-2ebf6c8216287983779c8ec6597d30893b914a7c
opkg - 9c97d5ecd795709c8584e972bfdf3aee3a5b846d-7
ppp - 2.4.7-6
ppp-mod-pppoe - 2.4.7-6
procd - 2015-08-16-0da5bf2ff222d1a499172a6e09507388676b5a08
r8169-firmware - 2014-03-16-f8c22c692bdee57a20b092e647464ff6176df3ed-1
rpcd - 2015-05-17-3d655417ab44d93aad56a6d4a668daf24b127b84
strongswan - 5.3.3-1
strongswan-charon - 5.3.3-1
strongswan-default - 5.3.3-1
strongswan-mod-aes - 5.3.3-1
strongswan-mod-attr - 5.3.3-1
strongswan-mod-constraints - 5.3.3-1
strongswan-mod-des - 5.3.3-1
strongswan-mod-dnskey - 5.3.3-1
strongswan-mod-fips-prf - 5.3.3-1
strongswan-mod-gmp - 5.3.3-1
strongswan-mod-hmac - 5.3.3-1
strongswan-mod-kernel-netlink - 5.3.3-1
strongswan-mod-md5 - 5.3.3-1
strongswan-mod-nonce - 5.3.3-1
strongswan-mod-pem - 5.3.3-1
strongswan-mod-pgp - 5.3.3-1
strongswan-mod-pkcs1 - 5.3.3-1
strongswan-mod-pubkey - 5.3.3-1
strongswan-mod-random - 5.3.3-1
strongswan-mod-rc2 - 5.3.3-1
strongswan-mod-resolve - 5.3.3-1
strongswan-mod-revocation - 5.3.3-1
strongswan-mod-sha1 - 5.3.3-1
strongswan-mod-sha2 - 5.3.3-1
strongswan-mod-socket-default - 5.3.3-1
strongswan-mod-sshkey - 5.3.3-1
strongswan-mod-stroke - 5.3.3-1
strongswan-mod-updown - 5.3.3-1
strongswan-mod-x509 - 5.3.3-1
strongswan-mod-xauth-generic - 5.3.3-1
strongswan-mod-xcbc - 5.3.3-1
strongswan-utils - 5.3.3-1
ubox - 2015-07-14-907d046c8929fb74e5a3502a9498198695e62ad8
ubus - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
ubusd - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
uci - 2015-04-09.1-1
uhttpd - 2015-08-17-f91788b809d9726126e9cf4384fedbbb0c5b8a73
uhttpd-mod-ubus - 2015-08-17-f91788b809d9726126e9cf4384fedbbb0c5b8a73
usign - 2015-05-08-cf8dcdb8a4e874c77f3e9a8e9b643e8c17b19131
root@OpenWrt:~#

Alles anzeigen

Albert

ATD

Moment. Ganz am Anfang hast Du diffutils. Verwendest Du die drei diffs von dir? Ich habe sie nicht gebraucht.

Vielleicht sollten wir diese drei Dateien unter die Lupe nehmen!?

Albert

kls

diffutils hatte ich auch auf dem alten System installiert. Und auf dem neuen war es erst nicht installiert und ich habe es im Zuge der Fehlersuche installiert. Ich glaube nicht, daß das schuld ist.

Klaus

ATD

OK. Die kernel-libipsec.conf nicht vorhanden, kernel-netlink.conf und kernel-netlink.conf unverändert?

Was, wenn es doch auf der Gegenseite klemmt? Ausschließen können wir es nicht. Entweder wir senden keine Pakete ODER die Gegenseite beantwortet sie nicht.

Inwiefern ist ein reboot auf racoon problematisch?

Albert

kls

Eine kernel-libipsec.conf ist in /etc/strongswan.d/charon nicht vorhanden, und die kernel-netlink.conf ist unverändert (wie auch alle anderen Dateien in /etc/strongswan.d/charon).

Ich werde morgen nochmal die alte Konfiguration ausprobieren um zu sehen, ob es damit immer noch läuft. Wenn ja, dann kann es ja nicht an racoon liegen...

Klaus

ATD

Zitat von kls

Nur wenn ich ipsec stoppe und die Zeile "option subnet '88.198.76.220/32 192.168.100.0/24'" in /etc/config/firewall auskommentiere, kann ich racoon erreichen - dann allerdings freilich nicht über das VPN.

1. Internet geht immer?
2. Wenn Du nach racoon willst, dann immer über seine IP.
3. Laut Zitat kommst Du an racoon über das Internet ran, wenn ipsec und die IP aus dem FW raus ist. Die Pakete gehen nicht über den Tunnel.
4. Ist ipsec an und FW mit der IP versehen, dann kommst Du gar nicht mehr an racoon, weil die Pakete an racoon ausschließlich über den Tunnel geroutet werden!

Das sagt uns relativ klar, was passiert. Beim Punkt 4 haben die Pakete nur eine Chance und das ist der Tunnel. Wenn die Gegenseite nicht antwortet, dann gibt es auch keine Rückmeldung. Mein Bauchgefühl sagt mir, dass es doch racoon ist. Es erscheint mir einfach logisch. Restbestände in FW Cache von der vorhergehenden Installation. Also Neustart.

Albert

kls

1. Der Rest des Internets geht immer.
2. Ich spreche den Server über racoon.tvdr.de an, die Namensauflösung funktioniert immer.
3. Stimmt.
4. Stimmt auch.

Ich habe jetzt mal firewall und ipsec auf racoon neu gestartet, hat aber auch nichts geholfen.

Das Beste wird wohl sein, wenn ich morgen mal auf die alte Konfiguration zurückgehe um zu sehen, ob die wenigstens noch läuft.

Klaus

ATD

Zitat von kls

Das Beste wird wohl sein, wenn ich morgen mal auf die alte Konfiguration zurückgehe um zu sehen, ob die wenigstens noch läuft.

Bevor Du das machst, prüfe bitte direkt an cougar (SSH) ob Du racoon mit Ping oder traceroute erreichst. Wenn ja, dann anschließend alles prüfen.

Albert

ATD

Fehler gefunden. Ich bin immer so vorgegangen, dass ich an dem OpenWRT traceroute/ping probiert habe, dann die Gegenseite und zuletzt der Linux im eigenen Subnet.

Es funktioniert, ABER nur dann, wenn zuerst von cougar Richtung racoon ein traceroute oder ping abgegeben wurde. Sonst geht nichts über den Tunnel!

Das wäre erstmal ein Workaround mit Deiner "neuen" Konfiguration.

Wie es dann weitergeht, das werde ich heute nicht sagen können.

Albert

kls

Ein ping bzw. traceroute von cougar nach racoon unmittelbar nach dem Start von ipsec bringt leider auch nichts.

Hast du ganz sicher keine der Dateien in /etc/strongswan.d/charon verändert?
Und auch nicht /etc/strongswan.conf?

Klaus

ATD

Zitat von kls

Hast du ganz sicher keine der Dateien in /etc/strongswan.d/charon verändert?

Definitiv nein.

Das läuft aktuell.

Code

login as: root
root@192.168.220.1's password:




BusyBox v1.23.2 (2015-07-25 06:35:11 CEST) built-in shell (ash)


  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 CHAOS CALMER (15.05, r46767)
 -----------------------------------------------------
  * 1 1/2 oz Gin            Shake with a glassful
  * 1/4 oz Triple Sec       of broken ice and pour
  * 3/4 oz Lime Juice       unstrained into a goblet.
  * 1 1/2 oz Orange Juice
  * 1 tsp. Grenadine Syrup
 -----------------------------------------------------
root@OpenWrt:~# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files


charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}


include strongswan.d/*.conf


root@OpenWrt:~# cat /etc/ipsec.conf
#/etc/ipsec.conf


# basic configuration


config setup
        # strictcrlpolicy=yes
        # uniqueids = no


# Add connections here.


conn racoon
        left=%defaultroute
        leftsubnet=192.168.220.0/24
        leftid=@cougar
        leftfirewall=no
        right=%xxx.dyndns.org
        rightid=@racoon
        rightsubnet=192.168.8.0/24
        keyexchange=ikev1
        aggressive=yes
        authby=secret
        ike=aes128-sha1-modp1024
        esp=aes128-sha1-modp1024
        auto=start


root@OpenWrt:~#

Alles anzeigen

Albert

kls

Sieht bei mir im Prinzip genauso aus.

Klaus

kls

Ich habe jetzt mal einen Vergleich der /etc Verzeichnisse zwischen der alten und neuen Konfiguration gemacht. Dabei fällt auf, daß in der alten Version in /etc/strongswan.d/charon deutlich mehr Dateien vorhanden sind als in der Neuen. Kannst du bitte mal die Dateien in dem Verzeichnis bei dir auflisten?

Klaus

ATD

Zitat von kls

Dabei fällt auf, daß in der alten Version in /etc/strongswan.d/charon deutlich mehr Dateien vorhanden sind als in der Neuen.

Sie sind aber nur für den Tunnel und er steht doch.

/etc/strongswan.d/charon

Code

login as: root
root@192.168.220.1's password:




BusyBox v1.23.2 (2015-07-25 06:35:11 CEST) built-in shell (ash)


  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 CHAOS CALMER (15.05, r46767)
 -----------------------------------------------------
  * 1 1/2 oz Gin            Shake with a glassful
  * 1/4 oz Triple Sec       of broken ice and pour
  * 3/4 oz Lime Juice       unstrained into a goblet.
  * 1 1/2 oz Orange Juice
  * 1 tsp. Grenadine Syrup
 -----------------------------------------------------
root@OpenWrt:~# cd /etc/strongswan.d/charon
root@OpenWrt:/etc/strongswan.d/charon# ls -l
-rw-r--r--    1 root     root           130 Sep  8 16:26 aes.conf
-rw-r--r--    1 root     root           362 Sep  8 16:26 attr.conf
-rw-r--r--    1 root     root           138 Sep  8 16:26 constraints.conf
-rw-r--r--    1 root     root           130 Sep  8 16:26 des.conf
-rw-r--r--    1 root     root           133 Sep  8 16:26 dnskey.conf
-rw-r--r--    1 root     root           135 Sep  8 16:26 fips-prf.conf
-rw-r--r--    1 root     root           130 Sep  8 16:26 gmp.conf
-rw-r--r--    1 root     root           131 Sep  8 16:26 hmac.conf
-rw-r--r--    1 root     root          1510 Sep  8 16:26 kernel-netlink.conf
-rw-r--r--    1 root     root           130 Sep  8 16:26 md5.conf
-rw-r--r--    1 root     root           132 Sep  8 16:26 nonce.conf
-rw-r--r--    1 root     root           130 Sep  8 16:26 pem.conf
-rw-r--r--    1 root     root           130 Sep  8 16:26 pgp.conf
-rw-r--r--    1 root     root           132 Sep  8 16:26 pkcs1.conf
-rw-r--r--    1 root     root           133 Sep  8 16:26 pubkey.conf
-rw-r--r--    1 root     root           425 Sep  8 16:26 random.conf
-rw-r--r--    1 root     root           130 Sep  8 16:26 rc2.conf
-rw-r--r--    1 root     root           340 Sep  8 16:26 resolve.conf
-rw-r--r--    1 root     root           137 Sep  8 16:26 revocation.conf
-rw-r--r--    1 root     root           131 Sep  8 16:26 sha1.conf
-rw-r--r--    1 root     root           131 Sep  8 16:26 sha2.conf
-rw-r--r--    1 root     root           402 Sep  8 16:26 socket-default.conf
-rw-r--r--    1 root     root           133 Sep  8 16:26 sshkey.conf
-rw-r--r--    1 root     root           986 Sep  8 16:26 stroke.conf
-rw-r--r--    1 root     root           297 Sep  8 16:26 updown.conf
-rw-r--r--    1 root     root           131 Sep  8 16:26 x509.conf
-rw-r--r--    1 root     root           140 Sep  8 16:26 xauth-generic.conf
-rw-r--r--    1 root     root           131 Sep  8 16:26 xcbc.conf
root@OpenWrt:/etc/strongswan.d/charon#

Alles anzeigen

Albert

[Suche] Empfehlung für Router mit Kabel Deutschland unter openWRT

Jetzt mitmachen!

Benutzer online in diesem Thema