Strongswan: Connection established but one way data transfer

Question

Posting Updated: 26.06 11:22

I'm trying to use a rasperry pi on arch linux as strongswan ikev2 server for my windows phone 8.1 smartphone. I would like to use a client certificate for authentication. My current result is an established connection. I see data packets leaving the tunnel but no response packets entering the tunnel. Can someone help? For testing purposes the smartphone is connected to the local wifi (later I would like to use a GSM connection)

Local Network: 192.168.178.0/24 IP for the tunnel: 192.168.250.0/24

ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
     strictcrlpolicy=no
    # uniqueids = no

# Add connections here.

# Connection from window phone 8.1 with client certificate
conn eap-tls
        keyexchange=ikev2
        left=%any
        leftsubnet=0.0.0.0/0
        leftid=@fischefr.ddns.net
        leftcert=vpnHostCert.pem
        leftauth=pubkey
        leftfirewall=yes

        right=%any
        rightauth=eap-tls
#   rightsourceip=%dhcp
        rightsourceip=192.168.250.0/24
        eap_identity=%any
    forceencaps = yes
        auto=start
#        rightsendcert=never
#        compress=yes
#        rightcert=FranzCert.pem
#        esp=aes256-sha1_160-ecp512bp!

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

iptables-save:

# Generated by iptables-save v1.4.21 on Fri Jun 26 09:10:48 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jun 26 09:10:48 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:10:48 2015
*filter
:INPUT ACCEPT [33:2276]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:2872]
COMMIT
# Completed on Fri Jun 26 09:10:48 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:10:48 2015
*raw
:PREROUTING ACCEPT [34:2328]
:OUTPUT ACCEPT [28:3264]
-A PREROUTING -s 192.168.250.0/24 -j LOG
-A PREROUTING -d 192.168.250.0/24 -j LOG
COMMIT
# Completed on Fri Jun 26 09:10:48 2015

Still doesn't any further ideas?

after starting strongswan iptables-save has further rules:

# Generated by iptables-save v1.4.21 on Fri Jun 26 09:14:12 2015
*nat
:PREROUTING ACCEPT [4:2319]
:INPUT ACCEPT [4:2319]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jun 26 09:14:12 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:14:12 2015
*filter
:INPUT ACCEPT [17:1708]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:1960]
-A FORWARD -s 192.168.250.1/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -d 192.168.250.1/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Fri Jun 26 09:14:12 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:14:12 2015
*raw
:PREROUTING ACCEPT [271:22907]
:OUTPUT ACCEPT [191:25761]
-A PREROUTING -s 192.168.250.0/24 -j LOG
-A PREROUTING -d 192.168.250.0/24 -j LOG
COMMIT
# Completed on Fri Jun 26 09:14:12 2015

One test: I started strongswan, connected the phone and entered 192.168.178.1 (Fritzbox, the router) in the url box. journalctl shows the following lines:

Jun 26 09:17:27 alarmpi ipsec_starter[858]: Starting strongSwan 5.3.2 IPsec [starter]...
Jun 26 09:17:27 alarmpi ipsec_starter[867]: charon (868) started after 480 ms
Jun 26 09:17:34 alarmpi vpn[893]: + 192.168.178.23 192.168.250.1/32 == 87.154.185.133 -- 192.168.178.25 == 0.0.0.0/0
Jun 26 09:17:37 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:01:48:44:91:00:00:80:11:3a:6a SRC=192.168.250.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=17553 PROTO=UDP SPT=68 DPT=67 LEN=308 
Jun 26 09:17:38 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:01:48:44:92:00:00:80:11:3a:69 SRC=192.168.250.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=17554 PROTO=UDP SPT=68 DPT=67 LEN=308 
Jun 26 09:17:40 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:00:34:1e:d7:40:00:80:06:ae:98 SRC=192.168.250.1 DST=192.168.178.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=7895 DF PROTO=TCP SPT=50925 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
Jun 26 09:17:41 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:00:34:1e:d8:40:00:80:06:ae:97 SRC=192.168.250.1 DST=192.168.178.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=7896 DF PROTO=TCP SPT=50925 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
Jun 26 09:17:43 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:01:48:44:93:00:00:80:11:3a:68 SRC=192.168.250.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=17555 PROTO=UDP SPT=68 DPT=67 LEN=308 
Jun 26 09:17:43 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:00:30:1e:d9:40:00:80:06:ae:9a SRC=192.168.250.1 DST=192.168.178.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=7897 DF PROTO=TCP SPT=50925 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 

Unfortunately there seems to be no packet from 192.168.178.1 to 192.168.250.0. Anything is going wrong. I'm not sure about the strongswan configuration but a tunnel is established...