[strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

tomek_byd at tlen.pl tomek_byd at tlen.pl
Mon Jul 20 16:13:35 CEST 2015 

Hello!

I have a lot of progress. IPsec connection set up properly.
Unfortunately ping does not work between networks. In OpenVPN I had
tunnels in interfaces with their own addresses. I set up routing
between them. Now I don't see the ends of the IPsec tunnel in
interfaces and don't know how to set routing.

root at SomeWRT:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.49, mips):
  uptime: 11 seconds, since Jul 20 15:58:34 2015
  malloc: sbrk 122880, mmap 0, used 116464, free 6416
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc
hmac attr kernel-netlink resolve socket-default stroke updown
xauth-generic
Listening IP addresses:
  192.168.2.1
Connections:
somename:  B.B.B.B...A.A.A.A  IKEv1
somename:   local:  [B.B.B.B] uses pre-shared key authentication
somename:   remote: [A.A.A.A] uses pre-shared key authentication
somename:   child:  192.168.2.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
somename[2]: ESTABLISHED 10 seconds ago, B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
somename[2]: IKEv1 SPIs: xxxxxxxxxxxxxxxx_i xxxxxxxxxxxxxxxx_r*,
rekeying disabled
somename[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
somename{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: xxxxxxxx_i xxxxxxxx_o
somename{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
somename{1}:   192.168.2.0/24 === 192.168.1.0/24

2015-07-20 14:19 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Tomek,
>
> I can tell from "Exchange Mode: Main" that it uses IKEv1.
> Append an @ to the IDs  on the strongSwan side
> to force charon to send the ID as type FQDN,
> which the other side expects (you set ID type to FQDN).
> Use AES-128 instead of 3DES. You should also
> use SHA1, not MD5. Furthermore, you enabled PFS in
> the configuration on the TP link, but not in strongSwan.
> Append the correct dh group to your ESP cipher settings.
>
> Look at the logs in the webinterface to find out what the TP link
> side doesn't like.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 20.07.2015 um 13:58 schrieb tomek_byd at tlen.pl:
>> Hello!
>>
>> After the change from IKEv1 to IKEv2 I have errors as shown below. In
>> the settings TP-Link I don't see the possibility to change IKEv1/v2. I
>> don't know what is even set in TP-Link. A sample panel is visible on
>> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
>> What is best to change 3DES?
>>
>> root at SomeWRT:~# ipsec up somename
>> no files found matching '/etc/strongswan.d/*.conf'
>> initiating Main Mode IKE_SA somename[1] to A.A.A.A
>> generating ID_PROT request 0 [ SA V V V V ]
>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
>> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
>> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
>> received NO_PROPOSAL_CHOSEN error notify
>> establishing connection 'somename' failed
>>
>> 2015-07-19 22:32 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>>>
>> Hello Tomek,
>>
>> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very slow.
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 19.07.2015 um 13:34 schrieb tomek_byd:
>>>>> I don't know how to write the correct config file for the connection. My config is a conglomeration of many examples from the Internet. So far I havn't had contact with IPsec. I'm under the control of TL-ER6120 and OpenWRT so I can make changes on both devices. I see the error "IDr payload missing" but parameter "leftid" is set in the config file.
>>>>>
>>>>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
>>>>>
>>>>> TL-ER6120 configuration:
>>>>> IKE Proposal: MD5, 3DES, DH2
>>>>> IKE Policy:
>>>>>   Exchange Mode: main,
>>>>>   Local ID Type: FQDN,
>>>>>   Local ID: A.A.A.A
>>>>>   Remote ID Type: FQDN
>>>>>   Remote ID: B.B.B.B
>>>>>   Pre-shared Key: XXXXXX
>>>>>   SA Lifetime: 28800
>>>>>   DPD: Disable
>>>>> IPsec Proposal: ESP, MD5, 3DES
>>>>> IPsec Policy:
>>>>>   Mode: LAN-to-LAN
>>>>>   Local Subnet: 192.168.1.0/24
>>>>>   Remote Subnet: 192.168.2.0/24
>>>>>   WAN: WAN1
>>>>>   Remote Gateway: B.B.B.B
>>>>>   Policy Mode: IKE
>>>>>   PFS: DH2
>>>>>   SA Lifetime: 28800
>>>>>
>>>>> OpenWRT configuration:
>>>>> /etc/ipsec.conf:
>>>>> config setup
>>>>>     # strictcrlpolicy = no
>>>>>     # uniqueids = no
>>>>> conn somename
>>>>>     ikelifetime=60m
>>>>>     keylife=20m
>>>>>     rekeymargin=3m
>>>>>     keyingtries=1
>>>>>     keyexchange=ikev2
>>>>>     type=tunnel
>>>>>     authby=secret
>>>>>     ike=3des-md5-modp1024!
>>>>>     esp=3des-md5!
>>>>>     rekey=no
>>>>>     left=B.B.B.B
>>>>>     leftid=B.B.B.B
>>>>>     leftsubnet=192.168.2.0/24
>>>>>     leftauth=psk
>>>>>     right=A.A.A.A
>>>>>     rightid=A.A.A.A
>>>>>     rightsubnet=192.168.1.0/24
>>>>>     rightauth=psk
>>>>>     dpdaction=none
>>>>>     auto=add
>>>>>     mobike=no
>>>>> /etc/ipsec.secrets
>>>>> A.A.A.A : PSK "XXXXXX"
>>>>> B.B.B.B : PSK "XXXXXX"
>>>>>
>>>>> Output:
>>>>> root at SomeWRT:~# ipsec up somename
>>>>> no files found matching '/etc/strongswan.d/*.conf'
>>>>> initiating IKE_SA somename[1] to A.A.A.A
>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
>>>>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
>>>>> local host is behind NAT, sending keep alives
>>>>> remote host is behind NAT
>>>>> authentication of 'B.B.B.B' (myself) with pre-shared key
>>>>> establishing CHILD_SA somename
>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
>>>>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
>>>>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
>>>>> IDr payload missing
>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
>>>>> establishing connection 'somename' failed
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVrOc2AAoJEDg5KY9j7GZYoaEP/3B0Ktku7nDagsjQiIbCeyaR
> kSSfegu/IrgbinSsXPzMbCFJUlyesRAM+qIUM4t21bWnHGPJh+ydrBc8b+5ybCxq
> lPhpTioEnASpOIDSH2Vc5tpPMJnXusslep5JU+KwcifnKAbhnZVtKpBAFNeAbPU0
> G9cu16a1sXcx9zxqhNUvrLqKJqrNsAy9oKTZ9aoPrTNCtUdLAHvHGALWXTgdNR60
> E87/G3Eo1GtDAMziiFs5ePsoI774H+uXITB3LmP4mo3t5lc1vC7bIa91FRTji5ol
> xTieBrsjUfs8dsWfa8Q5PzcXAPwxPuo3FCEXQ86ZEf8alEdyHAAwXfqo38UYUi6p
> Ll09XECjseBkQ7HjBy6Qf2mHO9A2poFsDkXIGJgt5Gfv/ZbH+6j7UH2YmghWNmgm
> 5YZpgO03Q4eVkVu4m1iWKW2H9PV9ZTQL7k5gpVA8NfoEZ6lWjd3lOE+8FnNqECPm
> ZdDZl4I+6NHXsuN6qYTw30q2E/doC22bQiInd/br5wwjcKi5JRTjsP4pfehbLeLm
> 3utkQ7JeewAunpG0NIfBsOiaElHxxA83DbfJo8q/vjrKQkKzT51YgTzRgQcWCdV2
> h+MfWSpLY3tW3KscrwDmBqz4x9HDSb9TVi3Pq1BBTcYaqYs5d17eufOhjBCnsZrx
> m4tmqqmn4CVLTlXGWLyP
> =0xLZ
> -----END PGP SIGNATURE-----

More information about the Users mailing list