Hi,
 
First of all apologies if this is a double post. I seem to have some trouble posting to the list.
 
The good news is I think I have succeded in succesfully compiling fwknopd to dd-wrt using optware. The program compiled without errors and runs on my router. The bad news is that it doesn't seem to create iptables rules needed.
 
If I start fwknopd and send a SPA packet from my android phone to my router fwknopd responds with:
 
Using Digest Cache: '/var/run/fwknop/digest.cache' (entry count = 0)
Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
PCAP filter is: udp port 62201
Starting fwknopd main event loop.
SPA Packet from IP: <my phone ip> received.
SPA Packet: '+0e+uMnhekbCqfB1tHSenxfiiCrtkaxSJJzBNA5FfYiX1pmMC1cO5MhxmorkfGS2+z723Jd2Aj/4Y4oPNn1MmXQ9gc8yAziJGe0Rkiqt9GCwmXGzWzDVFiWPXg9zLDA9Az/xW2SIaEGudbGEn3hXqnb1O0HEJy74TlOvgjP8obBNlSMyucX4aw'
Added Rule to FWKNOP_INPUT for <my phone ip>, tcp/8822 expires at 1319299103

 
However I cannot reach ssh on my router. If I run (from a different ssh session) iptables -L I can see some entries relating to fwknopd. I get
 
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
FWKNOP_INPUT  0    --  anywhere             anywhere
 
Immediately after that  I get some iptables rules I put in myslef. Then after quite a lot more lines i get

Chain FWKNOP_INPUT (1 references)
target     prot opt source               destination
Chain advgrp_1 (0 references)

And the output continues but with no references to either my phone ip address or port 8822.
 
Then after a while fwknop tells me:

Did not find expire comment in rules list 0.

I'm stuck. As far as I can tell fwknopd runs without errors and can access iptables because I can see entries relating to fwknop in my iptables. These entries disappear (as they should) when I close fwknopd and reapear when I start fwknopd again. However, no iptables rules are created.
 
Does anyone have a suggestion to solve this problem? Am I configuring fwknopd.conf or access.conf wrong? the output of fwknopd -D is attached below
 
Thanks,
 
Frank
 
output of fwknopd -D
# fwknopd -D
Current fwknopd config settings:
  0. CONFIG_FILE                  =  '/opt/etc/fwknop/fwknopd.conf'
  1. OVERRIDE_CONFIG              =  '<not set>'
  2. PCAP_INTF                    =  'vlan2'
  3. ENABLE_PCAP_PROMISC          =  'N'
  4. PCAP_FILTER                  =  'udp port 62201'
  5. MAX_SNIFF_BYTES              =  '1500'
  6. ENABLE_SPA_PACKET_AGING      =  'Y'
  7. MAX_SPA_PACKET_AGE           =  '120'
  8. ENABLE_DIGEST_PERSISTENCE    =  'Y'
  9. CMD_EXEC_TIMEOUT             =  '<not set>'
 10. ENABLE_SPA_OVER_HTTP         =  'N'
 11. ENABLE_TCP_SERVER            =  'N'
 12. TCPSERV_PORT                 =  '62201'
 13. LOCALE                       =  '<not set>'
 14. SYSLOG_IDENTITY              =  'fwknopd'
 15. SYSLOG_FACILITY              =  'LOG_DAEMON'
 16. ENABLE_IPT_FORWARDING        =  'N'
 17. ENABLE_IPT_LOCAL_NAT         =  'Y'
 18. ENABLE_IPT_SNAT              =  'N'
 19. SNAT_TRANSLATE_IP            =  '<not set>'
 20. ENABLE_IPT_OUTPUT            =  'N'
 21. FLUSH_IPT_AT_INIT            =  'Y'
 22. FLUSH_IPT_AT_EXIT            =  'Y'
 23. IPT_INPUT_ACCESS             =  'ACCEPT, filter, INPUT, 1, FWKNOP_INPUT, 1'
 24. IPT_OUTPUT_ACCESS            =  'ACCEPT, filter, OUTPUT, 1, FWKNOP_OUTPUT, 1'
 25. IPT_FORWARD_ACCESS           =  'ACCEPT, filter, FORWARD, 1, FWKNOP_FORWARD, 1'
 26. IPT_DNAT_ACCESS              =  'DNAT, nat, PREROUTING, 1, FWKNOP_PREROUTING, 1'
 27. IPT_SNAT_ACCESS              =  'SNAT, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
 28. IPT_MASQUERADE_ACCESS        =  'MASQUERADE, nat, POSTROUTING, 1, FWKNOP_POSTROUTING, 1'
 29. FWKNOP_RUN_DIR               =  '/var/run/fwknop'
 30. FWKNOP_CONF_DIR              =  '/opt/etc/fwknop'
 31. ACCESS_FILE                  =  '/opt/etc/fwknop/access.conf'
 32. FWKNOP_PID_FILE              =  '/var/run/fwknop/fwknopd.pid'
 33. DIGEST_FILE                  =  '/var/run/fwknop/digest.cache'
 34. GPG_HOME_DIR                 =  '/root/.gnupg'
 35. FIREWALL_EXE                 =  '/usr/sbin/iptables'
Current fwknopd access settings:
SOURCE (1):  ANY
==============================================================
                 OPEN_PORTS:  tcp/8822,tcp/22
             RESTRICT_PORTS:  <not set>
                        KEY:  <see the access.conf file>
          FW_ACCESS_TIMEOUT:  30
            ENABLE_CMD_EXEC:  No
              CMD_EXEC_USER:  <not set>
           REQUIRE_USERNAME:  <not set>
     REQUIRE_SOURCE_ADDRESS:  No
               GPG_HOME_DIR:  <not set>
             GPG_DECRYPT_ID:  <not set>
             GPG_DECRYPT_PW:  <see the access.conf file>
            GPG_REQUIRE_SIG:  No
GPG_IGNORE_SIG_VERIFY_ERROR:  No
              GPG_REMOTE_ID:  <not set>