[strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

tomek_byd tomek_byd at tlen.pl
Sun Jul 19 13:34:05 CEST 2015 

I don't know how to write the correct config file for the connection. My config is a conglomeration of many examples from the Internet. So far I havn't had contact with IPsec. I'm under the control of TL-ER6120 and OpenWRT so I can make changes on both devices. I see the error "IDr payload missing" but parameter "leftid" is set in the config file.

LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)

TL-ER6120 configuration:
IKE Proposal: MD5, 3DES, DH2
IKE Policy:
  Exchange Mode: main,
  Local ID Type: FQDN, 
  Local ID: A.A.A.A
  Remote ID Type: FQDN
  Remote ID: B.B.B.B
  Pre-shared Key: XXXXXX
  SA Lifetime: 28800
  DPD: Disable
IPsec Proposal: ESP, MD5, 3DES
IPsec Policy:
  Mode: LAN-to-LAN
  Local Subnet: 192.168.1.0/24
  Remote Subnet: 192.168.2.0/24
  WAN: WAN1
  Remote Gateway: B.B.B.B
  Policy Mode: IKE
  PFS: DH2
  SA Lifetime: 28800

OpenWRT configuration:
/etc/ipsec.conf:
config setup
	# strictcrlpolicy = no
	# uniqueids = no
conn somename
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	type=tunnel
	authby=secret
	ike=3des-md5-modp1024!
	esp=3des-md5!
	rekey=no	
	left=B.B.B.B
	leftid=B.B.B.B
	leftsubnet=192.168.2.0/24
	leftauth=psk
	right=A.A.A.A
	rightid=A.A.A.A
	rightsubnet=192.168.1.0/24
	rightauth=psk
	dpdaction=none
	auto=add
	mobike=no
/etc/ipsec.secrets
A.A.A.A : PSK "XXXXXX"
B.B.B.B : PSK "XXXXXX"

Output:
root at SomeWRT:~# ipsec up somename
no files found matching '/etc/strongswan.d/*.conf'
initiating IKE_SA somename[1] to A.A.A.A
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of 'B.B.B.B' (myself) with pre-shared key
establishing CHILD_SA somename
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
IDr payload missing
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
establishing connection 'somename' failed

More information about the Users mailing list