Hi,

I'm trying to build a vpn connection between openWRT WR RC4 and a LANCOM 1711 VPN router. I managed it already when I was using an IPcop box instead of openWRT. But with openWRT I can't find the problem why it's not working. When I look in the log, I can see that the connection should be estableshed (am I right?):

Jan  3 14:16:26 (none) kern.warn pluto[14762]: "XXXXX" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x0cc3e220 <0xb93bf1f1 xfrm=AES_128-HMAC_MD5 NATD=none DPD=enabled}

Unfortunately, I can't ping the other network. Do I need to add an iptables entry in order to reach the other network? I've never set up iptables manually...

Any help/tip/hint is much appreciated. If needed, I will tell more details.

Thanks

Andreas

Hi

I can ping the destination network 10.10.10.1 from OpenWRT,when I add this route:
             
      route add -net 10.10.10.0 netmask 255.255.255.0 dev tun0

But I don't know ping the 10.10.10.1 from PC behind OpenWRT router (on LAN or WLAN)

Gabriel

LAN WLAN  <====> OpenWRT <===> internet(PAT) =====> remote VPN router  <====> remote subnet
192.168.1.0                           privateIP              publicIP            publicIP                               10.10.10.0

                                  VPNC  <====================>cisco VPN

Hi Gabriel,

thanks for your answer. In the meantime I found that the vpn connection isn't established at all! Since I'm new to ipsec, I didn't saw this. Could you maybe post your ipsec.conf? Perhaps this helps me to find the right settings for my connection.

Thanks

Andreas

Hi Andreas,
this is complete guide how to install vpnc:

!!!!!!!edit file:
rm /etc/ipkg.conf
cp /rom/etc/ipkg.conf /etc/ipkg.conf
vi /etc/ipkg.conf
**************************************************************************************
src whiterussian http://downloads.openwrt.org/whiterussian/packages
src non-free http://downloads.openwrt.org/whiterussi … s/non-free

src florian http://openwrt.alphacore.net

dest root /
dest ram /tmp
*************************************************************************************

!!!!!!!!!!!istall all packages for vpnc:
ipkg update
ipkg install vpnc libgcrypt srelay kmod-tun
insmod tun

!!!!!!!edit file:
vi /etc/vpnc.conf
*******************************************************
Interface name tun0
IPSec gateway 88.88.129.58
IPSec ID MYgroupname
IPSec secret MYgrouppassword
Xauth username MYname
Xauth password MYpassword
************************************************************
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! it is a minimum needed entries in vpnc.conf

!!!!!!!!!!!!!runn tunnel:
vpnc

!!!!!!!!!!!!!verify tunnle:
ifconfig tun0

root@OpenWrt:~# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:88.88.139.129  P-t-P:88.88.139.129  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
          RX packets:4768 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4985 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:1438576 (1.3 MiB)  TX bytes:466406 (455.4 KiB)

root@OpenWrt:~#

!!!!!!!!!!!!!if RX and TX packets is 0 then You must add routes to remote network:

route add -net 16.16.16.0 netmask 255.255.255.0 dev tun0

!!!!!!!!!!!!!now You can ping 16.16.16.1 from openWRT:
root@OpenWrt:~# ping 16.16.16.1
PING 16.16.16.1 (16.16.16.1): 56 data bytes
64 bytes from 16.16.16.1: icmp_seq=0 ttl=255 time=109.4 ms
64 bytes from 16.16.16.1: icmp_seq=1 ttl=255 time=20.1 ms

!!!!!!!!!!!!!!!!!!!if You need to ping remote network from PC from LAN or WLAN behind OpenWRT, you must permit this:

iptables -A forwarding_rule -s 192.168.1.0/24 -d 16.16.16.0/24 -j ACCEPT

!!!!!!!!!!!!!!!And I must do NAT from local network 192.168.1.0 to ip address of tunnel 88.88.139.129, because the remote cisco VPN server seems that there is only one client wiht 88.88.139.129.

iptables -t nat -A postrouting_rule -s 192.168.1.0/24 -d 16.16.16.0/24 -j SNAT --to 81.88.139.129

what I need now:
1. Automaticaly run this everything after reboot of OpenWRT
2. configuring something as keepalive, because when the tunnel goes down, I must killall vpnc, then run vpnc and add routes
3. make something as source route, because I need some local users to use tunnel as default route and some to use ISP default gateway.

Please can anybody help me?

Thanks
Gabriel

hello,

how do i redirect the hole traffic to the vpn-server?

i tried:
route add -net default netmask default gw 128.X.X.X dev tun0

but then nothing is working.

this is my standard netstat -nr output:
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.16.0    0.0.0.0         255.255.255.0   U         0 0          0 br0
62.X.X.0      0.0.0.0         255.255.255.0   U         0 0          0 vlan1
0.0.0.0         62.X.X.1      0.0.0.0         UG        0 0          0 vlan1

mfg seHaas

Hi seHaas,

route add -net RemoteVPNserverIP netmask 255.255.255.255 gw OldDefaultGatewayIP
route add default gw LocalTunnelIP

thank you, birky!

after editing /etc/resolve.conf it works from the router (terminal) but the clients can't reach anything outside the router except the vpn server.
i tried ping and traceroute.

any idea whats wrong?
thx seHaas

Hi sehaas,
check your iptables if you permited the client ip's
and the routes to clients on the vpn sever. - but my vpn server looks only one vpn client (IP of tun0) and then I must do NAT for my local LAN clients to tun0. What is your vpn server?

Please can anybody help me?
1. configuring something as keepalive, because when the tunnel goes down, I must manually run it again.
2. make something as source route, because I need some local users (vlans) to use tunnel as default route and some to use ISP default gateway.

BirkY