OpenWrt上的strongswan VPN

您好我正在运行的障碍破坏者版本的OpenWRT，我已经build立一个VPN根据： http ://wiki.openwrt.org/inbox/strongswan.howto我可以连接到我的iPhone或Mac的VPN（到10.10.1.0 / 24networking）。 我也可以从Windows 7连接。使用DHCP成功地将IP分配给客户端。 一旦连接，我无法访问networking上的任何东西。 /etc/firewall.user包含：

# This file is interpreted as shell script. # Put your custom iptables rules here, they will # be executed with each firewall (re-)start. iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT # Enable ssh and HTTP to router iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT iptables -I OUTPUT 1 -p tcp --sport 22 -j ACCEPT iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT iptables -I OUTPUT 1 -p tcp --sport 80 -j ACCEPT 

/etc/ipsec.conf包含：

 # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn ios keyexchange=ikev1 authby=xauthrsasig xauth=server left=%any leftsubnet=0.0.0.0/0 leftfirewall=yes leftcert=serverCert.pem right=%any rightsubnet=10.10.1.0/24 rightsourceip=%dhcp rightcert=clientCert.pem forceencaps=yes auto=add conn %default keyexchange=ikev2 ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no conn win7 left=%any leftsubnet=0.0.0.0/0 leftauth=pubkey leftcert=serverCert.pem [email protected] leftfirewall=yes right=%any rightauth=eap-mschapv2 rightsendcert=never rightsubnet=10.10.1.0/24 rightsourceip=%dhcp eap_identity=%any auto=add 

（路由器的真实域名已经被xxx.yyy.comreplace）。

/etc/strongswan.conf包含：

• 路由添加/删除后的时间问题（路由未使用）
• 使LXC容器可以直接用ipv6访问
• 克服非对称路由，同时在不同的ISP之间迁移
• IPv6：目的不可达：地址不可达
• Windows Server 2008 R2 RAS VPN：在内部接口ip上访问服务器

 # strongswan.conf - strongSwan configuration file charon { dns1 = 10.10.1.1 # number of worker threads in charon threads = 16 # send strongswan vendor ID? # send_vendor_id = yes plugins { dhcp { server = 10.10.1.1 } sql { # loglevel to log into sql database loglevel = -1 # URI to the database # database = sqlite:///path/to/file.db # database = mysql://user:password@localhost/database } } # ... } pluto { } libstrongswan { # set to no, the DH exponent size is optimized # dh_exponent_ansi_x9_42 = no } 

当我在路由器上显示Windows 7和iPhone ipsec状态时连接：

 Security Associations (2 up, 0 connecting): ios[5]: ESTABLISHED 4 seconds ago, xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=xxx.xxx.com]...xxx.xxx.xxx.xxx[C=AU, O=Netroworx, CN=client] ios{5}: INSTALLED, TUNNEL, ESP in UDP SPIs: c8618e27_i 0923f471_o ios{5}: 0.0.0.0/0 === 10.10.1.89/32 win7[4]: ESTABLISHED 45 seconds ago, xxx.xxx.xxx.xxx[xxx.xxx.com]...xxx.xxx.xxx[192.168.191.131] win7{4}: INSTALLED, TUNNEL, ESP in UDP SPIs: cae3b4a6_i 67f3eaf0_o win7{4}: 0.0.0.0/0 === 10.10.1.0/24 

（敏感的ips和域名用xxx代替）

有关为什么数据包不通过VPN路由的任何想法？

这可能是一个NAT的东西？

更新：当试图在障碍断路器上安装strongswan时，我得到以下内容：

 opkg install strongswan-full Installing strongswan-full (5.0.4-1) to root... Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/strongswan-full_5.0.4-1_ar71xx.ipk. Multiple packages (kmod-crypto-hash and kmod-crypto-hash) providing same name marked HOLD or PREFER. Using latest. Multiple packages (kmod-crypto-manager and kmod-crypto-manager) providing same name marked HOLD or PREFER. Using latest. Multiple packages (kmod-crypto-core and kmod-crypto-core) providing same name marked HOLD or PREFER. Using latest. Collected errors: * satisfy_dependencies_for: Cannot satisfy the following dependencies for strongswan-full: * kernel (= 3.10.18-1-0de2f8afeb2eecb34eeca6f54b460523) * * opkg_install_cmd: Cannot install package strongswan-full. 

 iptables -I POSTROUTING 1 -s 10.10.1.0/24 -j MASQUERADE -t nat iptables -I FORWARD -m conntrack --ctstate SNAT -j ACCEPT iptables -I FORWARD -m conntrack -s 10.10.1.0/24 --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT