[strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

Noel Kuntze noel at familie-kuntze.de
Mon Jul 20 16:14:41 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Tomek,

Read the introduction to strongswan and the article
about forwarding and split tunneling on the wiki.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 20.07.2015 um 16:13 schrieb tomek_byd at tlen.pl:
> Hello!
>
> I have a lot of progress. IPsec connection set up properly.
> Unfortunately ping does not work between networks. In OpenVPN I had
> tunnels in interfaces with their own addresses. I set up routing
> between them. Now I don't see the ends of the IPsec tunnel in
> interfaces and don't know how to set routing.
>
> root at SomeWRT:~# ipsec statusall
> no files found matching '/etc/strongswan.d/*.conf'
> Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.49, mips):
>   uptime: 11 seconds, since Jul 20 15:58:34 2015
>   malloc: sbrk 122880, mmap 0, used 116464, free 6416
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 1
>   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc
> hmac attr kernel-netlink resolve socket-default stroke updown
> xauth-generic
> Listening IP addresses:
>   192.168.2.1
> Connections:
> somename:  B.B.B.B...A.A.A.A  IKEv1
> somename:   local:  [B.B.B.B] uses pre-shared key authentication
> somename:   remote: [A.A.A.A] uses pre-shared key authentication
> somename:   child:  192.168.2.0/24 === 192.168.1.0/24 TUNNEL
> Security Associations (1 up, 0 connecting):
> somename[2]: ESTABLISHED 10 seconds ago, B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
> somename[2]: IKEv1 SPIs: xxxxxxxxxxxxxxxx_i xxxxxxxxxxxxxxxx_r*,
> rekeying disabled
> somename[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> somename{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: xxxxxxxx_i xxxxxxxx_o
> somename{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
> somename{1}:   192.168.2.0/24 === 192.168.1.0/24
>
> 2015-07-20 14:19 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
> Hello Tomek,
>
> I can tell from "Exchange Mode: Main" that it uses IKEv1.
> Append an @ to the IDs  on the strongSwan side
> to force charon to send the ID as type FQDN,
> which the other side expects (you set ID type to FQDN).
> Use AES-128 instead of 3DES. You should also
> use SHA1, not MD5. Furthermore, you enabled PFS in
> the configuration on the TP link, but not in strongSwan.
> Append the correct dh group to your ESP cipher settings.
>
> Look at the logs in the webinterface to find out what the TP link
> side doesn't like.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 20.07.2015 um 13:58 schrieb tomek_byd at tlen.pl:
> >>> Hello!
> >>>
> >>> After the change from IKEv1 to IKEv2 I have errors as shown below. In
> >>> the settings TP-Link I don't see the possibility to change IKEv1/v2. I
> >>> don't know what is even set in TP-Link. A sample panel is visible on
> >>> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
> >>> What is best to change 3DES?
> >>>
> >>> root at SomeWRT:~# ipsec up somename
> >>> no files found matching '/etc/strongswan.d/*.conf'
> >>> initiating Main Mode IKE_SA somename[1] to A.A.A.A
> >>> generating ID_PROT request 0 [ SA V V V V ]
> >>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
> >>> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
> >>> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
> >>> received NO_PROPOSAL_CHOSEN error notify
> >>> establishing connection 'somename' failed
> >>>
> >>> 2015-07-19 22:32 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
> >>>>
> >>> Hello Tomek,
> >>>
> >>> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very slow.
> >>>
> >>> Mit freundlichen Grüßen/Kind Regards,
> >>> Noel Kuntze
> >>>
> >>> GPG Key ID: 0x63EC6658
> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>
> >>> Am 19.07.2015 um 13:34 schrieb tomek_byd:
> >>>>>> I don't know how to write the correct config file for the connection. My config is a conglomeration of many examples from the Internet. So far I havn't had contact with IPsec. I'm under the control of TL-ER6120 and OpenWRT so I can make changes on both devices. I see the error "IDr payload missing" but parameter "leftid" is set in the config file.
> >>>>>>
> >>>>>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
> >>>>>>
> >>>>>> TL-ER6120 configuration:
> >>>>>> IKE Proposal: MD5, 3DES, DH2
> >>>>>> IKE Policy:
> >>>>>>   Exchange Mode: main,
> >>>>>>   Local ID Type: FQDN,
> >>>>>>   Local ID: A.A.A.A
> >>>>>>   Remote ID Type: FQDN
> >>>>>>   Remote ID: B.B.B.B
> >>>>>>   Pre-shared Key: XXXXXX
> >>>>>>   SA Lifetime: 28800
> >>>>>>   DPD: Disable
> >>>>>> IPsec Proposal: ESP, MD5, 3DES
> >>>>>> IPsec Policy:
> >>>>>>   Mode: LAN-to-LAN
> >>>>>>   Local Subnet: 192.168.1.0/24
> >>>>>>   Remote Subnet: 192.168.2.0/24
> >>>>>>   WAN: WAN1
> >>>>>>   Remote Gateway: B.B.B.B
> >>>>>>   Policy Mode: IKE
> >>>>>>   PFS: DH2
> >>>>>>   SA Lifetime: 28800
> >>>>>>
> >>>>>> OpenWRT configuration:
> >>>>>> /etc/ipsec.conf:
> >>>>>> config setup
> >>>>>>     # strictcrlpolicy = no
> >>>>>>     # uniqueids = no
> >>>>>> conn somename
> >>>>>>     ikelifetime=60m
> >>>>>>     keylife=20m
> >>>>>>     rekeymargin=3m
> >>>>>>     keyingtries=1
> >>>>>>     keyexchange=ikev2
> >>>>>>     type=tunnel
> >>>>>>     authby=secret
> >>>>>>     ike=3des-md5-modp1024!
> >>>>>>     esp=3des-md5!
> >>>>>>     rekey=no
> >>>>>>     left=B.B.B.B
> >>>>>>     leftid=B.B.B.B
> >>>>>>     leftsubnet=192.168.2.0/24
> >>>>>>     leftauth=psk
> >>>>>>     right=A.A.A.A
> >>>>>>     rightid=A.A.A.A
> >>>>>>     rightsubnet=192.168.1.0/24
> >>>>>>     rightauth=psk
> >>>>>>     dpdaction=none
> >>>>>>     auto=add
> >>>>>>     mobike=no
> >>>>>> /etc/ipsec.secrets
> >>>>>> A.A.A.A : PSK "XXXXXX"
> >>>>>> B.B.B.B : PSK "XXXXXX"
> >>>>>>
> >>>>>> Output:
> >>>>>> root at SomeWRT:~# ipsec up somename
> >>>>>> no files found matching '/etc/strongswan.d/*.conf'
> >>>>>> initiating IKE_SA somename[1] to A.A.A.A
> >>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> >>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
> >>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
> >>>>>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
> >>>>>> local host is behind NAT, sending keep alives
> >>>>>> remote host is behind NAT
> >>>>>> authentication of 'B.B.B.B' (myself) with pre-shared key
> >>>>>> establishing CHILD_SA somename
> >>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> >>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
> >>>>>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
> >>>>>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
> >>>>>> IDr payload missing
> >>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> >>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
> >>>>>> establishing connection 'somename' failed
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Users mailing list
> >>>>>> Users at lists.strongswan.org
> >>>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>
> >>>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVrQJPAAoJEDg5KY9j7GZY5CsP/2NQC3jyhEYpPy8oGTR7zXcR
vljMdPbosggnBaOvV0SIRrgboVjSRKI9ZxwGbIjEhYHh0iB2ZI9fT+63P8xLuSp6
xfPCy3SZTzR4Q37Uz0mU8RUEcA/71DHaQaZIb7B7lXp7ktwI6Cbfe8R7ZIAwd6Rt
hOKn4CMBD4j0gQb7ir8kPWGp+YGHPHEJGa9JqoJ++alpUbd2pAX0A7txlK90NXg2
P/g+tTlMwtND0KKGi+b/jyhS086TvnftCXgEJoieCfhpFtI81Qy0284s1svdz37+
q3/L8SNJRKXM42iGd2+C/u9JPilM1M7lZlwqq1+m5E6lpwitrLbUAfg7ELyP4f8S
tDnq3bD4nolpGiJhSbmUwLTL9ik/TVVT6yqJHRtKOuXXr9JquJXUjw7mqgMiQAXe
hbeosX2BLoby+CvbFTO6gP9aGKLQyeWvewx9QNtjTUDLvo7ivGFFhs28SBQ9+MCs
KkuMVYl8Vv3BO+NRxdTHZfu2VVgLuTfg3FMiggwNjFk/qliwRUFnbt+1Or5nZ43V
SX5cJkukf4j6usSUnRM8jZXRBYTQO8TDhAHa+AbqgEu5AfEbHYu1X1Hdkm65ufOs
uRb3L+gNe7n6YDc5fNc6Ymz6kN29GSrUjWxQnnbbAh8jd1y4lJBoP+xr3gAafFbE
12O4Xnd1Gi1UwA/DG28m
=Om+P
-----END PGP SIGNATURE-----

More information about the Users mailing list