[strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]
Noel Kuntze
noel at familie-kuntze.de
Tue Jul 21 12:25:20 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Tomek,
Now you're potentially leaking RFC1918 into the WAN.
Only accept traffic in POSTROUTING, if there is a matching policy.
You should also REJECT traffic to the remote subnet, if there is no
matching policy.
Use the "policy" match module in iptables for that. The wiki article about split tunneling
and forwarding has an example for the use of that module.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 21.07.2015 um 12:21 schrieb tomek_byd at tlen.pl:
> Hello!
>
> I add on OpenWRT:
>
> iptables -I FORWARD --src 192.168.1.0/24 -j ACCEPT
> iptables -I FORWARD --dst 192.168.1.0/24 -j ACCEPT
> iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
> iptables -t nat -I POSTROUTING -p ipcomp -j ACCEPT
> iptables -t nat -I POSTROUTING -p ah -j ACCEPT
> iptables -t nat -I POSTROUTING -p esp -j ACCEPT
>
> These commands enough. Now everything works well. Thanks for pointing a problem.
>
> 2015-07-21 11:47 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>>
> Hello Tomek,
>
> There is more information in the articles.
>
> 1) IPsec on modern Linux is policy based, not route based. StrongSwan takes care of all the
> needed policies and routes that are needed to make it work.
> 2) Packets that don't match the negotiated policies are not transported over the tunnel.
> Your OpenWRT box sends traffic to 192.168.1.0/24 from its address on the WAN interface,
> which does not work, because it's not covered by a policy. The same probably happens for
> the TP link device.
> 3) local NAT breaks IPsec, because NAT happens before the policy lookup. You need to except
> with a matching policy from NAT.
> 4) The OpenWRT firewall structure is inherently incompatible with the interfaceless nature of IPsec
> on Linux. You should redesign the firewall rules manually and stop using Luci.
>
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 21.07.2015 um 10:30 schrieb tomek_byd at tlen.pl:
> >>> Hello!
> >>>
> >>> I have read both articles and it did not explain anything to me. I have:
> >>> net.ipv4.ip_forward=1 in sysctl.conf
> >>> leftfirewall=yes, rightsubnet in ipsec.conf
> >>>
> >>> On TP-Link I see in route table:
> >>> destination: 192.168.2.0/24, gateway: N/A, flags: S, logical
> >>> interface: eth1, physical interface: wan1, metric: 0
> >>>
> >>> On OpenWRT I haven't routes for 192.168.1.0/24
> >>>
> >>> I can't ping 192.168.2.1 from A.A.A.A and I can't ping 192.168.1.1 from B.B.B.B
> >>>
> >>> 2015-07-20 16:14 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
> >>>>
> >>> Hello Tomek,
> >>>
> >>> Read the introduction to strongswan and the article
> >>> about forwarding and split tunneling on the wiki.
> >>>
> >>> Mit freundlichen Grüßen/Kind Regards,
> >>> Noel Kuntze
> >>>
> >>> GPG Key ID: 0x63EC6658
> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>
> >>> Am 20.07.2015 um 16:13 schrieb tomek_byd at tlen.pl:
> >>>>>> Hello!
> >>>>>>
> >>>>>> I have a lot of progress. IPsec connection set up properly.
> >>>>>> Unfortunately ping does not work between networks. In OpenVPN I had
> >>>>>> tunnels in interfaces with their own addresses. I set up routing
> >>>>>> between them. Now I don't see the ends of the IPsec tunnel in
> >>>>>> interfaces and don't know how to set routing.
> >>>>>>
> >>>>>> root at SomeWRT:~# ipsec statusall
> >>>>>> no files found matching '/etc/strongswan.d/*.conf'
> >>>>>> Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.49, mips):
> >>>>>> uptime: 11 seconds, since Jul 20 15:58:34 2015
> >>>>>> malloc: sbrk 122880, mmap 0, used 116464, free 6416
> >>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> >>>>>> scheduled: 1
> >>>>>> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
> >>>>>> revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc
> >>>>>> hmac attr kernel-netlink resolve socket-default stroke updown
> >>>>>> xauth-generic
> >>>>>> Listening IP addresses:
> >>>>>> 192.168.2.1
> >>>>>> Connections:
> >>>>>> somename: B.B.B.B...A.A.A.A IKEv1
> >>>>>> somename: local: [B.B.B.B] uses pre-shared key authentication
> >>>>>> somename: remote: [A.A.A.A] uses pre-shared key authentication
> >>>>>> somename: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL
> >>>>>> Security Associations (1 up, 0 connecting):
> >>>>>> somename[2]: ESTABLISHED 10 seconds ago, B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
> >>>>>> somename[2]: IKEv1 SPIs: xxxxxxxxxxxxxxxx_i xxxxxxxxxxxxxxxx_r*,
> >>>>>> rekeying disabled
> >>>>>> somename[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>>>>> somename{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: xxxxxxxx_i xxxxxxxx_o
> >>>>>> somename{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
> >>>>>> somename{1}: 192.168.2.0/24 === 192.168.1.0/24
> >>>>>>
> >>>>>> 2015-07-20 14:19 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
> >>>>>> Hello Tomek,
> >>>>>>
> >>>>>> I can tell from "Exchange Mode: Main" that it uses IKEv1.
> >>>>>> Append an @ to the IDs on the strongSwan side
> >>>>>> to force charon to send the ID as type FQDN,
> >>>>>> which the other side expects (you set ID type to FQDN).
> >>>>>> Use AES-128 instead of 3DES. You should also
> >>>>>> use SHA1, not MD5. Furthermore, you enabled PFS in
> >>>>>> the configuration on the TP link, but not in strongSwan.
> >>>>>> Append the correct dh group to your ESP cipher settings.
> >>>>>>
> >>>>>> Look at the logs in the webinterface to find out what the TP link
> >>>>>> side doesn't like.
> >>>>>>
> >>>>>> Mit freundlichen Grüßen/Regards,
> >>>>>> Noel Kuntze
> >>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>>>>
> >>>>>> Am 20.07.2015 um 13:58 schrieb tomek_byd at tlen.pl:
> >>>>>>>>> Hello!
> >>>>>>>>>
> >>>>>>>>> After the change from IKEv1 to IKEv2 I have errors as shown below. In
> >>>>>>>>> the settings TP-Link I don't see the possibility to change IKEv1/v2. I
> >>>>>>>>> don't know what is even set in TP-Link. A sample panel is visible on
> >>>>>>>>> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
> >>>>>>>>> What is best to change 3DES?
> >>>>>>>>>
> >>>>>>>>> root at SomeWRT:~# ipsec up somename
> >>>>>>>>> no files found matching '/etc/strongswan.d/*.conf'
> >>>>>>>>> initiating Main Mode IKE_SA somename[1] to A.A.A.A
> >>>>>>>>> generating ID_PROT request 0 [ SA V V V V ]
> >>>>>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
> >>>>>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
> >>>>>>>>> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
> >>>>>>>>> received NO_PROPOSAL_CHOSEN error notify
> >>>>>>>>> establishing connection 'somename' failed
> >>>>>>>>>
> >>>>>>>>> 2015-07-19 22:32 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
> >>>>>>>>>>
> >>>>>>>>> Hello Tomek,
> >>>>>>>>>
> >>>>>>>>> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very slow.
> >>>>>>>>>
> >>>>>>>>> Mit freundlichen Grüßen/Kind Regards,
> >>>>>>>>> Noel Kuntze
> >>>>>>>>>
> >>>>>>>>> GPG Key ID: 0x63EC6658
> >>>>>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>>>>>>>
> >>>>>>>>> Am 19.07.2015 um 13:34 schrieb tomek_byd:
> >>>>>>>>>>>> I don't know how to write the correct config file for the connection. My config is a conglomeration of many examples from the Internet. So far I havn't had contact with IPsec. I'm under the control of TL-ER6120 and OpenWRT so I can make changes on both devices. I see the error "IDr payload missing" but parameter "leftid" is set in the config file.
> >>>>>>>>>>>>
> >>>>>>>>>>>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
> >>>>>>>>>>>>
> >>>>>>>>>>>> TL-ER6120 configuration:
> >>>>>>>>>>>> IKE Proposal: MD5, 3DES, DH2
> >>>>>>>>>>>> IKE Policy:
> >>>>>>>>>>>> Exchange Mode: main,
> >>>>>>>>>>>> Local ID Type: FQDN,
> >>>>>>>>>>>> Local ID: A.A.A.A
> >>>>>>>>>>>> Remote ID Type: FQDN
> >>>>>>>>>>>> Remote ID: B.B.B.B
> >>>>>>>>>>>> Pre-shared Key: XXXXXX
> >>>>>>>>>>>> SA Lifetime: 28800
> >>>>>>>>>>>> DPD: Disable
> >>>>>>>>>>>> IPsec Proposal: ESP, MD5, 3DES
> >>>>>>>>>>>> IPsec Policy:
> >>>>>>>>>>>> Mode: LAN-to-LAN
> >>>>>>>>>>>> Local Subnet: 192.168.1.0/24
> >>>>>>>>>>>> Remote Subnet: 192.168.2.0/24
> >>>>>>>>>>>> WAN: WAN1
> >>>>>>>>>>>> Remote Gateway: B.B.B.B
> >>>>>>>>>>>> Policy Mode: IKE
> >>>>>>>>>>>> PFS: DH2
> >>>>>>>>>>>> SA Lifetime: 28800
> >>>>>>>>>>>>
> >>>>>>>>>>>> OpenWRT configuration:
> >>>>>>>>>>>> /etc/ipsec.conf:
> >>>>>>>>>>>> config setup
> >>>>>>>>>>>> # strictcrlpolicy = no
> >>>>>>>>>>>> # uniqueids = no
> >>>>>>>>>>>> conn somename
> >>>>>>>>>>>> ikelifetime=60m
> >>>>>>>>>>>> keylife=20m
> >>>>>>>>>>>> rekeymargin=3m
> >>>>>>>>>>>> keyingtries=1
> >>>>>>>>>>>> keyexchange=ikev2
> >>>>>>>>>>>> type=tunnel
> >>>>>>>>>>>> authby=secret
> >>>>>>>>>>>> ike=3des-md5-modp1024!
> >>>>>>>>>>>> esp=3des-md5!
> >>>>>>>>>>>> rekey=no
> >>>>>>>>>>>> left=B.B.B.B
> >>>>>>>>>>>> leftid=B.B.B.B
> >>>>>>>>>>>> leftsubnet=192.168.2.0/24
> >>>>>>>>>>>> leftauth=psk
> >>>>>>>>>>>> right=A.A.A.A
> >>>>>>>>>>>> rightid=A.A.A.A
> >>>>>>>>>>>> rightsubnet=192.168.1.0/24
> >>>>>>>>>>>> rightauth=psk
> >>>>>>>>>>>> dpdaction=none
> >>>>>>>>>>>> auto=add
> >>>>>>>>>>>> mobike=no
> >>>>>>>>>>>> /etc/ipsec.secrets
> >>>>>>>>>>>> A.A.A.A : PSK "XXXXXX"
> >>>>>>>>>>>> B.B.B.B : PSK "XXXXXX"
> >>>>>>>>>>>>
> >>>>>>>>>>>> Output:
> >>>>>>>>>>>> root at SomeWRT:~# ipsec up somename
> >>>>>>>>>>>> no files found matching '/etc/strongswan.d/*.conf'
> >>>>>>>>>>>> initiating IKE_SA somename[1] to A.A.A.A
> >>>>>>>>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> >>>>>>>>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
> >>>>>>>>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
> >>>>>>>>>>>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
> >>>>>>>>>>>> local host is behind NAT, sending keep alives
> >>>>>>>>>>>> remote host is behind NAT
> >>>>>>>>>>>> authentication of 'B.B.B.B' (myself) with pre-shared key
> >>>>>>>>>>>> establishing CHILD_SA somename
> >>>>>>>>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> >>>>>>>>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
> >>>>>>>>>>>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
> >>>>>>>>>>>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
> >>>>>>>>>>>> IDr payload missing
> >>>>>>>>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> >>>>>>>>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
> >>>>>>>>>>>> establishing connection 'somename' failed
> >>>>>>>>>>>>
> >>>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>> Users mailing list
> >>>>>>>>>>>> Users at lists.strongswan.org
> >>>>>>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>>>>>>>
> >>>>>>>>>>
> >>>>
>
>>
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVrh4QAAoJEDg5KY9j7GZY9yMQAJ/ORG1dBM4D/WIuhys3XvIk
ye3fYituS0W++s8zbj2qFc66hYl4sAR6BQD8fqWNoeY3IeYOIO8yp46kITNif5o/
h736WJdvAVsparmdO/V6VKian/2crfWm5gtEgs3qxxbj0UHpqRQWjIaUCfF08eet
y8R5YsOBW+rn4uSDFnKehhTgLsMnWJvKgfRivzkESByosx7oY3qGl38MCqFXMwOm
M+i2Now3JNz0RFrzEVybx7C3gksMvkiboK1FbB216OVnxPsUlpWtRJUoew98Vapk
XCZRSyd8hCMtVOIp4E+zXjisGvWnvOiGZX+UZjBuHl6cFm5zCmSaojjqrWPY1FIu
MzGldqDSm9Pzc9QLwfSfysMBKCTj9xSJ4OmoNJbP1W9LDA5PtPT8RAsh1VEeF2wP
oCoIToGkUGLAAZ8jtYUUT2bxoAwmJBgMWyDDCvNffuuxCW+fls4VhQwCiLNXJI3a
wuBzyZvovo6OFUTEu2CI8G6HJhzaSn33wEQ8z4a0RxbCHyP+itY14RXKldkaakM1
4DVMwvJHQ38XRx3kknb2dMbJKdsINHCAp1lfn/LRHNa3Kac7Hxw/8WoLcVgp9S+x
hAJMD272vrP4rIwYixbKu+6IABosAnnz4tsSROK9w6XVZjxXuG8bJFQOgjXEscMM
HZ83GgXj6A0hlTmKzjAe
=WKQU
-----END PGP SIGNATURE-----
More information about the Users
mailing list