[strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

tomek_byd at tlen.pl tomek_byd at tlen.pl
Tue Jul 21 10:30:01 CEST 2015 

Hello!

I have read both articles and it did not explain anything to me. I have:
net.ipv4.ip_forward=1 in sysctl.conf
leftfirewall=yes, rightsubnet in ipsec.conf

On TP-Link I see in route table:
destination: 192.168.2.0/24, gateway: N/A, flags: S, logical
interface: eth1, physical interface: wan1, metric: 0

On OpenWRT I haven't routes for 192.168.1.0/24

I can't ping 192.168.2.1 from A.A.A.A and I can't ping 192.168.1.1 from B.B.B.B

2015-07-20 16:14 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Tomek,
>
> Read the introduction to strongswan and the article
> about forwarding and split tunneling on the wiki.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 20.07.2015 um 16:13 schrieb tomek_byd at tlen.pl:
>> Hello!
>>
>> I have a lot of progress. IPsec connection set up properly.
>> Unfortunately ping does not work between networks. In OpenVPN I had
>> tunnels in interfaces with their own addresses. I set up routing
>> between them. Now I don't see the ends of the IPsec tunnel in
>> interfaces and don't know how to set routing.
>>
>> root at SomeWRT:~# ipsec statusall
>> no files found matching '/etc/strongswan.d/*.conf'
>> Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.49, mips):
>>   uptime: 11 seconds, since Jul 20 15:58:34 2015
>>   malloc: sbrk 122880, mmap 0, used 116464, free 6416
>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 1
>>   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
>> revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc
>> hmac attr kernel-netlink resolve socket-default stroke updown
>> xauth-generic
>> Listening IP addresses:
>>   192.168.2.1
>> Connections:
>> somename:  B.B.B.B...A.A.A.A  IKEv1
>> somename:   local:  [B.B.B.B] uses pre-shared key authentication
>> somename:   remote: [A.A.A.A] uses pre-shared key authentication
>> somename:   child:  192.168.2.0/24 === 192.168.1.0/24 TUNNEL
>> Security Associations (1 up, 0 connecting):
>> somename[2]: ESTABLISHED 10 seconds ago, B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
>> somename[2]: IKEv1 SPIs: xxxxxxxxxxxxxxxx_i xxxxxxxxxxxxxxxx_r*,
>> rekeying disabled
>> somename[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> somename{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: xxxxxxxx_i xxxxxxxx_o
>> somename{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
>> somename{1}:   192.168.2.0/24 === 192.168.1.0/24
>>
>> 2015-07-20 14:19 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>> Hello Tomek,
>>
>> I can tell from "Exchange Mode: Main" that it uses IKEv1.
>> Append an @ to the IDs  on the strongSwan side
>> to force charon to send the ID as type FQDN,
>> which the other side expects (you set ID type to FQDN).
>> Use AES-128 instead of 3DES. You should also
>> use SHA1, not MD5. Furthermore, you enabled PFS in
>> the configuration on the TP link, but not in strongSwan.
>> Append the correct dh group to your ESP cipher settings.
>>
>> Look at the logs in the webinterface to find out what the TP link
>> side doesn't like.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 20.07.2015 um 13:58 schrieb tomek_byd at tlen.pl:
>> >>> Hello!
>> >>>
>> >>> After the change from IKEv1 to IKEv2 I have errors as shown below. In
>> >>> the settings TP-Link I don't see the possibility to change IKEv1/v2. I
>> >>> don't know what is even set in TP-Link. A sample panel is visible on
>> >>> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
>> >>> What is best to change 3DES?
>> >>>
>> >>> root at SomeWRT:~# ipsec up somename
>> >>> no files found matching '/etc/strongswan.d/*.conf'
>> >>> initiating Main Mode IKE_SA somename[1] to A.A.A.A
>> >>> generating ID_PROT request 0 [ SA V V V V ]
>> >>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
>> >>> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
>> >>> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
>> >>> received NO_PROPOSAL_CHOSEN error notify
>> >>> establishing connection 'somename' failed
>> >>>
>> >>> 2015-07-19 22:32 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>> >>>>
>> >>> Hello Tomek,
>> >>>
>> >>> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very slow.
>> >>>
>> >>> Mit freundlichen Grüßen/Kind Regards,
>> >>> Noel Kuntze
>> >>>
>> >>> GPG Key ID: 0x63EC6658
>> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> >>>
>> >>> Am 19.07.2015 um 13:34 schrieb tomek_byd:
>> >>>>>> I don't know how to write the correct config file for the connection. My config is a conglomeration of many examples from the Internet. So far I havn't had contact with IPsec. I'm under the control of TL-ER6120 and OpenWRT so I can make changes on both devices. I see the error "IDr payload missing" but parameter "leftid" is set in the config file.
>> >>>>>>
>> >>>>>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
>> >>>>>>
>> >>>>>> TL-ER6120 configuration:
>> >>>>>> IKE Proposal: MD5, 3DES, DH2
>> >>>>>> IKE Policy:
>> >>>>>>   Exchange Mode: main,
>> >>>>>>   Local ID Type: FQDN,
>> >>>>>>   Local ID: A.A.A.A
>> >>>>>>   Remote ID Type: FQDN
>> >>>>>>   Remote ID: B.B.B.B
>> >>>>>>   Pre-shared Key: XXXXXX
>> >>>>>>   SA Lifetime: 28800
>> >>>>>>   DPD: Disable
>> >>>>>> IPsec Proposal: ESP, MD5, 3DES
>> >>>>>> IPsec Policy:
>> >>>>>>   Mode: LAN-to-LAN
>> >>>>>>   Local Subnet: 192.168.1.0/24
>> >>>>>>   Remote Subnet: 192.168.2.0/24
>> >>>>>>   WAN: WAN1
>> >>>>>>   Remote Gateway: B.B.B.B
>> >>>>>>   Policy Mode: IKE
>> >>>>>>   PFS: DH2
>> >>>>>>   SA Lifetime: 28800
>> >>>>>>
>> >>>>>> OpenWRT configuration:
>> >>>>>> /etc/ipsec.conf:
>> >>>>>> config setup
>> >>>>>>     # strictcrlpolicy = no
>> >>>>>>     # uniqueids = no
>> >>>>>> conn somename
>> >>>>>>     ikelifetime=60m
>> >>>>>>     keylife=20m
>> >>>>>>     rekeymargin=3m
>> >>>>>>     keyingtries=1
>> >>>>>>     keyexchange=ikev2
>> >>>>>>     type=tunnel
>> >>>>>>     authby=secret
>> >>>>>>     ike=3des-md5-modp1024!
>> >>>>>>     esp=3des-md5!
>> >>>>>>     rekey=no
>> >>>>>>     left=B.B.B.B
>> >>>>>>     leftid=B.B.B.B
>> >>>>>>     leftsubnet=192.168.2.0/24
>> >>>>>>     leftauth=psk
>> >>>>>>     right=A.A.A.A
>> >>>>>>     rightid=A.A.A.A
>> >>>>>>     rightsubnet=192.168.1.0/24
>> >>>>>>     rightauth=psk
>> >>>>>>     dpdaction=none
>> >>>>>>     auto=add
>> >>>>>>     mobike=no
>> >>>>>> /etc/ipsec.secrets
>> >>>>>> A.A.A.A : PSK "XXXXXX"
>> >>>>>> B.B.B.B : PSK "XXXXXX"
>> >>>>>>
>> >>>>>> Output:
>> >>>>>> root at SomeWRT:~# ipsec up somename
>> >>>>>> no files found matching '/etc/strongswan.d/*.conf'
>> >>>>>> initiating IKE_SA somename[1] to A.A.A.A
>> >>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
>> >>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
>> >>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
>> >>>>>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
>> >>>>>> local host is behind NAT, sending keep alives
>> >>>>>> remote host is behind NAT
>> >>>>>> authentication of 'B.B.B.B' (myself) with pre-shared key
>> >>>>>> establishing CHILD_SA somename
>> >>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
>> >>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
>> >>>>>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
>> >>>>>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
>> >>>>>> IDr payload missing
>> >>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>> >>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
>> >>>>>> establishing connection 'somename' failed
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> Users mailing list
>> >>>>>> Users at lists.strongswan.org
>> >>>>>> https://lists.strongswan.org/mailman/listinfo/users
>> >>>
>> >>>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVrQJPAAoJEDg5KY9j7GZY5CsP/2NQC3jyhEYpPy8oGTR7zXcR
> vljMdPbosggnBaOvV0SIRrgboVjSRKI9ZxwGbIjEhYHh0iB2ZI9fT+63P8xLuSp6
> xfPCy3SZTzR4Q37Uz0mU8RUEcA/71DHaQaZIb7B7lXp7ktwI6Cbfe8R7ZIAwd6Rt
> hOKn4CMBD4j0gQb7ir8kPWGp+YGHPHEJGa9JqoJ++alpUbd2pAX0A7txlK90NXg2
> P/g+tTlMwtND0KKGi+b/jyhS086TvnftCXgEJoieCfhpFtI81Qy0284s1svdz37+
> q3/L8SNJRKXM42iGd2+C/u9JPilM1M7lZlwqq1+m5E6lpwitrLbUAfg7ELyP4f8S
> tDnq3bD4nolpGiJhSbmUwLTL9ik/TVVT6yqJHRtKOuXXr9JquJXUjw7mqgMiQAXe
> hbeosX2BLoby+CvbFTO6gP9aGKLQyeWvewx9QNtjTUDLvo7ivGFFhs28SBQ9+MCs
> KkuMVYl8Vv3BO+NRxdTHZfu2VVgLuTfg3FMiggwNjFk/qliwRUFnbt+1Or5nZ43V
> SX5cJkukf4j6usSUnRM8jZXRBYTQO8TDhAHa+AbqgEu5AfEbHYu1X1Hdkm65ufOs
> uRb3L+gNe7n6YDc5fNc6Ymz6kN29GSrUjWxQnnbbAh8jd1y4lJBoP+xr3gAafFbE
> 12O4Xnd1Gi1UwA/DG28m
> =Om+P
> -----END PGP SIGNATURE-----
>

More information about the Users mailing list