[strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]

Noel Kuntze noel at familie-kuntze.de
Tue Jul 21 11:47:01 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Tomek,

There is more information in the articles.

1) IPsec on modern Linux is policy based, not route based. StrongSwan takes care of all the
    needed policies and routes that are needed to make it work.
2) Packets that don't match the negotiated policies are not transported over the tunnel.
    Your OpenWRT box sends traffic to 192.168.1.0/24 from its address on the WAN interface,
    which does not work, because it's not covered by a policy. The same probably happens for
    the TP link device.
3) local NAT breaks IPsec, because NAT happens before the policy lookup. You need to except
    with a matching policy from NAT.
4) The OpenWRT firewall structure is inherently incompatible with the interfaceless nature of IPsec
    on Linux. You should redesign the firewall rules manually and stop using Luci.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 21.07.2015 um 10:30 schrieb tomek_byd at tlen.pl:
> Hello!
>
> I have read both articles and it did not explain anything to me. I have:
> net.ipv4.ip_forward=1 in sysctl.conf
> leftfirewall=yes, rightsubnet in ipsec.conf
>
> On TP-Link I see in route table:
> destination: 192.168.2.0/24, gateway: N/A, flags: S, logical
> interface: eth1, physical interface: wan1, metric: 0
>
> On OpenWRT I haven't routes for 192.168.1.0/24
>
> I can't ping 192.168.2.1 from A.A.A.A and I can't ping 192.168.1.1 from B.B.B.B
>
> 2015-07-20 16:14 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>>
> Hello Tomek,
>
> Read the introduction to strongswan and the article
> about forwarding and split tunneling on the wiki.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 20.07.2015 um 16:13 schrieb tomek_byd at tlen.pl:
> >>> Hello!
> >>>
> >>> I have a lot of progress. IPsec connection set up properly.
> >>> Unfortunately ping does not work between networks. In OpenVPN I had
> >>> tunnels in interfaces with their own addresses. I set up routing
> >>> between them. Now I don't see the ends of the IPsec tunnel in
> >>> interfaces and don't know how to set routing.
> >>>
> >>> root at SomeWRT:~# ipsec statusall
> >>> no files found matching '/etc/strongswan.d/*.conf'
> >>> Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.49, mips):
> >>>   uptime: 11 seconds, since Jul 20 15:58:34 2015
> >>>   malloc: sbrk 122880, mmap 0, used 116464, free 6416
> >>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> >>> scheduled: 1
> >>>   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
> >>> revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc
> >>> hmac attr kernel-netlink resolve socket-default stroke updown
> >>> xauth-generic
> >>> Listening IP addresses:
> >>>   192.168.2.1
> >>> Connections:
> >>> somename:  B.B.B.B...A.A.A.A  IKEv1
> >>> somename:   local:  [B.B.B.B] uses pre-shared key authentication
> >>> somename:   remote: [A.A.A.A] uses pre-shared key authentication
> >>> somename:   child:  192.168.2.0/24 === 192.168.1.0/24 TUNNEL
> >>> Security Associations (1 up, 0 connecting):
> >>> somename[2]: ESTABLISHED 10 seconds ago, B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
> >>> somename[2]: IKEv1 SPIs: xxxxxxxxxxxxxxxx_i xxxxxxxxxxxxxxxx_r*,
> >>> rekeying disabled
> >>> somename[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>> somename{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: xxxxxxxx_i xxxxxxxx_o
> >>> somename{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
> >>> somename{1}:   192.168.2.0/24 === 192.168.1.0/24
> >>>
> >>> 2015-07-20 14:19 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
> >>> Hello Tomek,
> >>>
> >>> I can tell from "Exchange Mode: Main" that it uses IKEv1.
> >>> Append an @ to the IDs  on the strongSwan side
> >>> to force charon to send the ID as type FQDN,
> >>> which the other side expects (you set ID type to FQDN).
> >>> Use AES-128 instead of 3DES. You should also
> >>> use SHA1, not MD5. Furthermore, you enabled PFS in
> >>> the configuration on the TP link, but not in strongSwan.
> >>> Append the correct dh group to your ESP cipher settings.
> >>>
> >>> Look at the logs in the webinterface to find out what the TP link
> >>> side doesn't like.
> >>>
> >>> Mit freundlichen Grüßen/Regards,
> >>> Noel Kuntze
> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>
> >>> Am 20.07.2015 um 13:58 schrieb tomek_byd at tlen.pl:
> >>>>>> Hello!
> >>>>>>
> >>>>>> After the change from IKEv1 to IKEv2 I have errors as shown below. In
> >>>>>> the settings TP-Link I don't see the possibility to change IKEv1/v2. I
> >>>>>> don't know what is even set in TP-Link. A sample panel is visible on
> >>>>>> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
> >>>>>> What is best to change 3DES?
> >>>>>>
> >>>>>> root at SomeWRT:~# ipsec up somename
> >>>>>> no files found matching '/etc/strongswan.d/*.conf'
> >>>>>> initiating Main Mode IKE_SA somename[1] to A.A.A.A
> >>>>>> generating ID_PROT request 0 [ SA V V V V ]
> >>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
> >>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
> >>>>>> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
> >>>>>> received NO_PROPOSAL_CHOSEN error notify
> >>>>>> establishing connection 'somename' failed
> >>>>>>
> >>>>>> 2015-07-19 22:32 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
> >>>>>>>
> >>>>>> Hello Tomek,
> >>>>>>
> >>>>>> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very slow.
> >>>>>>
> >>>>>> Mit freundlichen Grüßen/Kind Regards,
> >>>>>> Noel Kuntze
> >>>>>>
> >>>>>> GPG Key ID: 0x63EC6658
> >>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>>>>>
> >>>>>> Am 19.07.2015 um 13:34 schrieb tomek_byd:
> >>>>>>>>> I don't know how to write the correct config file for the connection. My config is a conglomeration of many examples from the Internet. So far I havn't had contact with IPsec. I'm under the control of TL-ER6120 and OpenWRT so I can make changes on both devices. I see the error "IDr payload missing" but parameter "leftid" is set in the config file.
> >>>>>>>>>
> >>>>>>>>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
> >>>>>>>>>
> >>>>>>>>> TL-ER6120 configuration:
> >>>>>>>>> IKE Proposal: MD5, 3DES, DH2
> >>>>>>>>> IKE Policy:
> >>>>>>>>>   Exchange Mode: main,
> >>>>>>>>>   Local ID Type: FQDN,
> >>>>>>>>>   Local ID: A.A.A.A
> >>>>>>>>>   Remote ID Type: FQDN
> >>>>>>>>>   Remote ID: B.B.B.B
> >>>>>>>>>   Pre-shared Key: XXXXXX
> >>>>>>>>>   SA Lifetime: 28800
> >>>>>>>>>   DPD: Disable
> >>>>>>>>> IPsec Proposal: ESP, MD5, 3DES
> >>>>>>>>> IPsec Policy:
> >>>>>>>>>   Mode: LAN-to-LAN
> >>>>>>>>>   Local Subnet: 192.168.1.0/24
> >>>>>>>>>   Remote Subnet: 192.168.2.0/24
> >>>>>>>>>   WAN: WAN1
> >>>>>>>>>   Remote Gateway: B.B.B.B
> >>>>>>>>>   Policy Mode: IKE
> >>>>>>>>>   PFS: DH2
> >>>>>>>>>   SA Lifetime: 28800
> >>>>>>>>>
> >>>>>>>>> OpenWRT configuration:
> >>>>>>>>> /etc/ipsec.conf:
> >>>>>>>>> config setup
> >>>>>>>>>     # strictcrlpolicy = no
> >>>>>>>>>     # uniqueids = no
> >>>>>>>>> conn somename
> >>>>>>>>>     ikelifetime=60m
> >>>>>>>>>     keylife=20m
> >>>>>>>>>     rekeymargin=3m
> >>>>>>>>>     keyingtries=1
> >>>>>>>>>     keyexchange=ikev2
> >>>>>>>>>     type=tunnel
> >>>>>>>>>     authby=secret
> >>>>>>>>>     ike=3des-md5-modp1024!
> >>>>>>>>>     esp=3des-md5!
> >>>>>>>>>     rekey=no
> >>>>>>>>>     left=B.B.B.B
> >>>>>>>>>     leftid=B.B.B.B
> >>>>>>>>>     leftsubnet=192.168.2.0/24
> >>>>>>>>>     leftauth=psk
> >>>>>>>>>     right=A.A.A.A
> >>>>>>>>>     rightid=A.A.A.A
> >>>>>>>>>     rightsubnet=192.168.1.0/24
> >>>>>>>>>     rightauth=psk
> >>>>>>>>>     dpdaction=none
> >>>>>>>>>     auto=add
> >>>>>>>>>     mobike=no
> >>>>>>>>> /etc/ipsec.secrets
> >>>>>>>>> A.A.A.A : PSK "XXXXXX"
> >>>>>>>>> B.B.B.B : PSK "XXXXXX"
> >>>>>>>>>
> >>>>>>>>> Output:
> >>>>>>>>> root at SomeWRT:~# ipsec up somename
> >>>>>>>>> no files found matching '/etc/strongswan.d/*.conf'
> >>>>>>>>> initiating IKE_SA somename[1] to A.A.A.A
> >>>>>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> >>>>>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
> >>>>>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
> >>>>>>>>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
> >>>>>>>>> local host is behind NAT, sending keep alives
> >>>>>>>>> remote host is behind NAT
> >>>>>>>>> authentication of 'B.B.B.B' (myself) with pre-shared key
> >>>>>>>>> establishing CHILD_SA somename
> >>>>>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> >>>>>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
> >>>>>>>>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
> >>>>>>>>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
> >>>>>>>>> IDr payload missing
> >>>>>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
> >>>>>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
> >>>>>>>>> establishing connection 'somename' failed
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> Users mailing list
> >>>>>>>>> Users at lists.strongswan.org
> >>>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>>>>
> >>>>>>>
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVrhUSAAoJEDg5KY9j7GZYXQUP/2FA1NmlzB5qn7wmQWXEhw6K
RQtBCXWAAJvXssSzY9Va7IPgOA/Sdr2Lfip21CCKAWmjWJV7BspIvrre0c6t7wDY
cHTDpy0utyaCVvh9HAzHlMLxLHPhwNV+SisbN2y9AsNj+YumDPuhB0qh+PJFMhs7
aSTfgTWG3WUKxVtHA7rlREkMJomTdCjNp1bH3ZCtXdwGDsDeClCtczRqd9sQKVUI
ECyA8vOyWNgl2dHHXAdUwk+GenSv8EtYN+0Lspmsh3drI2l2s6MtgxyAfMFsKlnX
EOzrGS0h6ov5IJ9BCo4/Pqri085w3RBm7Fw+fhx+4BAPEs3SSdpCKlkVZkK7ATeF
IlAusFAzYWsZePGFjMCkbgMkydst9iaulUyk+T07ljjMDp3678z90FfUzSVvW1Qz
XtvVzl7jP0Ht8SB8CVmZo84Tn8V1t7nc8SQYHQSfOuHqD9yN6rhkx6wAk3rka+Nf
32uVaBmZdkXuIxu+dPiggvAPP9KaLBZypjMxR5OpGJ+h1SWqyLemP4Ls9wx30w54
JWSJiJNN9WhzpBCjyqhZfawaDJ3r5h32mEw9ayN1UPJJLjk1Q3kAV/We1rKPBbV0
fmwK3LfHIk0ZdvCsGR6T0kuipvrlxZuXq6Lub7uY27s9Ufc9Ih5mEjtbjDBzDAHD
8sY4lUyYV7e3tnZSu+aM
=uw3X
-----END PGP SIGNATURE-----




More information about the Users mailing list