Hello.
I would like to add routing on OpenWRT for strongSwan IPSec IKEv2.
IPSec IKEv2 connection is successfully established.
Unfortunately, OpenWRT Forum can not help.
Maybe someone can help here.
Here is my configuration.
My installed packages: strongswan-full ip-full vti kmod-ip-vti kmod-ip6-vti
/etc/ipsec.conf:
Code:
conn lan-passthrough
leftsubnet=192.168.1.1/24 # Replace with your LAN subnet
rightsubnet=192.168.1.1/24 # Replace with your LAN subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
conn test
left=%defaultroute
leftsourceip=%config
leftauth=eap-mschapv2
eap_identity="username"
right=37.58.58.229
rightsubnet=0.0.0.0/0
rightauth=pubkey
#rightid=%37.58.58.229
rightca=/etc/ipsec.d/cacerts/protonvpn.der
keyexchange=ikev2
rightfirewall=yes
type=tunnel
auto=add
/etc/firewall.user:
Code:
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
/etc/config/firewall:
Code:
config rule
option src 'wan'
option name 'IPSec ESP'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec IKE'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec NAT-T'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'Auth Header'
option proto 'ah'
option target 'ACCEPT'
Here I need help. I am trying to add an ipsec0 tunnel and a
route:
Code:
ip tunnel add ipsec0 local 192.168.1.1 remote 37.58.58.229 mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.0.0.0/8 dev ipsec0
ifconfig ipsec0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
If I type ifconfig, then I have no traffic:
Code:
ipsec0 Link encap:UNSPEC HWaddr C0-A8-01-01-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.1.1 P-t-P:192.168.1.1 Mask:255.255.255.0
inet6 addr: fe80::5efe:c0a8:101/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Here is the output of "ipsec statusall":
Code:
Connections:
lan-passthrough: %any...%any IKEv1/2
lan-passthrough: local: uses public key authentication
lan-passthrough: remote: uses public key authentication
lan-passthrough: child: 192.168.1.0/24 === 192.168.1.0/24 PASS
test: %any...37.58.58.229 IKEv2
test: local: uses EAP_MSCHAPV2 authentication with EAP identity 'username'
test: remote: [37.58.58.229] uses public key authentication
test: child: dynamic === 0.0.0.0/0 TUNNEL
Shunted Connections:
lan-passthrough: 192.168.1.0/24 === 192.168.1.0/24 PASS
Security Associations (1 up, 0 connecting):
test[1]: ESTABLISHED 5 minutes ago, 5.146.188.149[5.146.188.149]...37.58.58.229[37.58.58.229]
test[1]: IKEv2 SPIs: 825600acd0b63a42_i* d1910dac65c14db6_r, EAP reauthentication in 2 hours
test[1]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
test{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c16aad1c_i cad28179_o
test{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes
test{1}: 10.6.4.18/32 === 0.0.0.0/0