[strongSwan] IPsec - between TL-ER6120 and OpenWRT with strongSwan [beginner]
tomek_byd at tlen.pl
tomek_byd at tlen.pl
Tue Jul 21 12:21:57 CEST 2015
Hello!
I add on OpenWRT:
iptables -I FORWARD --src 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD --dst 192.168.1.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -p ipcomp -j ACCEPT
iptables -t nat -I POSTROUTING -p ah -j ACCEPT
iptables -t nat -I POSTROUTING -p esp -j ACCEPT
These commands enough. Now everything works well. Thanks for pointing a problem.
2015-07-21 11:47 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Tomek,
>
> There is more information in the articles.
>
> 1) IPsec on modern Linux is policy based, not route based. StrongSwan takes care of all the
> needed policies and routes that are needed to make it work.
> 2) Packets that don't match the negotiated policies are not transported over the tunnel.
> Your OpenWRT box sends traffic to 192.168.1.0/24 from its address on the WAN interface,
> which does not work, because it's not covered by a policy. The same probably happens for
> the TP link device.
> 3) local NAT breaks IPsec, because NAT happens before the policy lookup. You need to except
> with a matching policy from NAT.
> 4) The OpenWRT firewall structure is inherently incompatible with the interfaceless nature of IPsec
> on Linux. You should redesign the firewall rules manually and stop using Luci.
>
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 21.07.2015 um 10:30 schrieb tomek_byd at tlen.pl:
>> Hello!
>>
>> I have read both articles and it did not explain anything to me. I have:
>> net.ipv4.ip_forward=1 in sysctl.conf
>> leftfirewall=yes, rightsubnet in ipsec.conf
>>
>> On TP-Link I see in route table:
>> destination: 192.168.2.0/24, gateway: N/A, flags: S, logical
>> interface: eth1, physical interface: wan1, metric: 0
>>
>> On OpenWRT I haven't routes for 192.168.1.0/24
>>
>> I can't ping 192.168.2.1 from A.A.A.A and I can't ping 192.168.1.1 from B.B.B.B
>>
>> 2015-07-20 16:14 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>>>
>> Hello Tomek,
>>
>> Read the introduction to strongswan and the article
>> about forwarding and split tunneling on the wiki.
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 20.07.2015 um 16:13 schrieb tomek_byd at tlen.pl:
>> >>> Hello!
>> >>>
>> >>> I have a lot of progress. IPsec connection set up properly.
>> >>> Unfortunately ping does not work between networks. In OpenVPN I had
>> >>> tunnels in interfaces with their own addresses. I set up routing
>> >>> between them. Now I don't see the ends of the IPsec tunnel in
>> >>> interfaces and don't know how to set routing.
>> >>>
>> >>> root at SomeWRT:~# ipsec statusall
>> >>> no files found matching '/etc/strongswan.d/*.conf'
>> >>> Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.49, mips):
>> >>> uptime: 11 seconds, since Jul 20 15:58:34 2015
>> >>> malloc: sbrk 122880, mmap 0, used 116464, free 6416
>> >>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> >>> scheduled: 1
>> >>> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
>> >>> revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc
>> >>> hmac attr kernel-netlink resolve socket-default stroke updown
>> >>> xauth-generic
>> >>> Listening IP addresses:
>> >>> 192.168.2.1
>> >>> Connections:
>> >>> somename: B.B.B.B...A.A.A.A IKEv1
>> >>> somename: local: [B.B.B.B] uses pre-shared key authentication
>> >>> somename: remote: [A.A.A.A] uses pre-shared key authentication
>> >>> somename: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL
>> >>> Security Associations (1 up, 0 connecting):
>> >>> somename[2]: ESTABLISHED 10 seconds ago, B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
>> >>> somename[2]: IKEv1 SPIs: xxxxxxxxxxxxxxxx_i xxxxxxxxxxxxxxxx_r*,
>> >>> rekeying disabled
>> >>> somename[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> >>> somename{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: xxxxxxxx_i xxxxxxxx_o
>> >>> somename{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
>> >>> somename{1}: 192.168.2.0/24 === 192.168.1.0/24
>> >>>
>> >>> 2015-07-20 14:19 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>> >>> Hello Tomek,
>> >>>
>> >>> I can tell from "Exchange Mode: Main" that it uses IKEv1.
>> >>> Append an @ to the IDs on the strongSwan side
>> >>> to force charon to send the ID as type FQDN,
>> >>> which the other side expects (you set ID type to FQDN).
>> >>> Use AES-128 instead of 3DES. You should also
>> >>> use SHA1, not MD5. Furthermore, you enabled PFS in
>> >>> the configuration on the TP link, but not in strongSwan.
>> >>> Append the correct dh group to your ESP cipher settings.
>> >>>
>> >>> Look at the logs in the webinterface to find out what the TP link
>> >>> side doesn't like.
>> >>>
>> >>> Mit freundlichen Grüßen/Regards,
>> >>> Noel Kuntze
>> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> >>>
>> >>> Am 20.07.2015 um 13:58 schrieb tomek_byd at tlen.pl:
>> >>>>>> Hello!
>> >>>>>>
>> >>>>>> After the change from IKEv1 to IKEv2 I have errors as shown below. In
>> >>>>>> the settings TP-Link I don't see the possibility to change IKEv1/v2. I
>> >>>>>> don't know what is even set in TP-Link. A sample panel is visible on
>> >>>>>> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm.
>> >>>>>> What is best to change 3DES?
>> >>>>>>
>> >>>>>> root at SomeWRT:~# ipsec up somename
>> >>>>>> no files found matching '/etc/strongswan.d/*.conf'
>> >>>>>> initiating Main Mode IKE_SA somename[1] to A.A.A.A
>> >>>>>> generating ID_PROT request 0 [ SA V V V V ]
>> >>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes)
>> >>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes)
>> >>>>>> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ]
>> >>>>>> received NO_PROPOSAL_CHOSEN error notify
>> >>>>>> establishing connection 'somename' failed
>> >>>>>>
>> >>>>>> 2015-07-19 22:32 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>> >>>>>>>
>> >>>>>> Hello Tomek,
>> >>>>>>
>> >>>>>> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very slow.
>> >>>>>>
>> >>>>>> Mit freundlichen Grüßen/Kind Regards,
>> >>>>>> Noel Kuntze
>> >>>>>>
>> >>>>>> GPG Key ID: 0x63EC6658
>> >>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> >>>>>>
>> >>>>>> Am 19.07.2015 um 13:34 schrieb tomek_byd:
>> >>>>>>>>> I don't know how to write the correct config file for the connection. My config is a conglomeration of many examples from the Internet. So far I havn't had contact with IPsec. I'm under the control of TL-ER6120 and OpenWRT so I can make changes on both devices. I see the error "IDr payload missing" but parameter "leftid" is set in the config file.
>> >>>>>>>>>
>> >>>>>>>>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24)
>> >>>>>>>>>
>> >>>>>>>>> TL-ER6120 configuration:
>> >>>>>>>>> IKE Proposal: MD5, 3DES, DH2
>> >>>>>>>>> IKE Policy:
>> >>>>>>>>> Exchange Mode: main,
>> >>>>>>>>> Local ID Type: FQDN,
>> >>>>>>>>> Local ID: A.A.A.A
>> >>>>>>>>> Remote ID Type: FQDN
>> >>>>>>>>> Remote ID: B.B.B.B
>> >>>>>>>>> Pre-shared Key: XXXXXX
>> >>>>>>>>> SA Lifetime: 28800
>> >>>>>>>>> DPD: Disable
>> >>>>>>>>> IPsec Proposal: ESP, MD5, 3DES
>> >>>>>>>>> IPsec Policy:
>> >>>>>>>>> Mode: LAN-to-LAN
>> >>>>>>>>> Local Subnet: 192.168.1.0/24
>> >>>>>>>>> Remote Subnet: 192.168.2.0/24
>> >>>>>>>>> WAN: WAN1
>> >>>>>>>>> Remote Gateway: B.B.B.B
>> >>>>>>>>> Policy Mode: IKE
>> >>>>>>>>> PFS: DH2
>> >>>>>>>>> SA Lifetime: 28800
>> >>>>>>>>>
>> >>>>>>>>> OpenWRT configuration:
>> >>>>>>>>> /etc/ipsec.conf:
>> >>>>>>>>> config setup
>> >>>>>>>>> # strictcrlpolicy = no
>> >>>>>>>>> # uniqueids = no
>> >>>>>>>>> conn somename
>> >>>>>>>>> ikelifetime=60m
>> >>>>>>>>> keylife=20m
>> >>>>>>>>> rekeymargin=3m
>> >>>>>>>>> keyingtries=1
>> >>>>>>>>> keyexchange=ikev2
>> >>>>>>>>> type=tunnel
>> >>>>>>>>> authby=secret
>> >>>>>>>>> ike=3des-md5-modp1024!
>> >>>>>>>>> esp=3des-md5!
>> >>>>>>>>> rekey=no
>> >>>>>>>>> left=B.B.B.B
>> >>>>>>>>> leftid=B.B.B.B
>> >>>>>>>>> leftsubnet=192.168.2.0/24
>> >>>>>>>>> leftauth=psk
>> >>>>>>>>> right=A.A.A.A
>> >>>>>>>>> rightid=A.A.A.A
>> >>>>>>>>> rightsubnet=192.168.1.0/24
>> >>>>>>>>> rightauth=psk
>> >>>>>>>>> dpdaction=none
>> >>>>>>>>> auto=add
>> >>>>>>>>> mobike=no
>> >>>>>>>>> /etc/ipsec.secrets
>> >>>>>>>>> A.A.A.A : PSK "XXXXXX"
>> >>>>>>>>> B.B.B.B : PSK "XXXXXX"
>> >>>>>>>>>
>> >>>>>>>>> Output:
>> >>>>>>>>> root at SomeWRT:~# ipsec up somename
>> >>>>>>>>> no files found matching '/etc/strongswan.d/*.conf'
>> >>>>>>>>> initiating IKE_SA somename[1] to A.A.A.A
>> >>>>>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
>> >>>>>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes)
>> >>>>>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes)
>> >>>>>>>>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ]
>> >>>>>>>>> local host is behind NAT, sending keep alives
>> >>>>>>>>> remote host is behind NAT
>> >>>>>>>>> authentication of 'B.B.B.B' (myself) with pre-shared key
>> >>>>>>>>> establishing CHILD_SA somename
>> >>>>>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
>> >>>>>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes)
>> >>>>>>>>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes)
>> >>>>>>>>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ]
>> >>>>>>>>> IDr payload missing
>> >>>>>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>> >>>>>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes)
>> >>>>>>>>> establishing connection 'somename' failed
>> >>>>>>>>>
>> >>>>>>>>> _______________________________________________
>> >>>>>>>>> Users mailing list
>> >>>>>>>>> Users at lists.strongswan.org
>> >>>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>> >>>>>>
>> >>>>>>>
>>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVrhUSAAoJEDg5KY9j7GZYXQUP/2FA1NmlzB5qn7wmQWXEhw6K
> RQtBCXWAAJvXssSzY9Va7IPgOA/Sdr2Lfip21CCKAWmjWJV7BspIvrre0c6t7wDY
> cHTDpy0utyaCVvh9HAzHlMLxLHPhwNV+SisbN2y9AsNj+YumDPuhB0qh+PJFMhs7
> aSTfgTWG3WUKxVtHA7rlREkMJomTdCjNp1bH3ZCtXdwGDsDeClCtczRqd9sQKVUI
> ECyA8vOyWNgl2dHHXAdUwk+GenSv8EtYN+0Lspmsh3drI2l2s6MtgxyAfMFsKlnX
> EOzrGS0h6ov5IJ9BCo4/Pqri085w3RBm7Fw+fhx+4BAPEs3SSdpCKlkVZkK7ATeF
> IlAusFAzYWsZePGFjMCkbgMkydst9iaulUyk+T07ljjMDp3678z90FfUzSVvW1Qz
> XtvVzl7jP0Ht8SB8CVmZo84Tn8V1t7nc8SQYHQSfOuHqD9yN6rhkx6wAk3rka+Nf
> 32uVaBmZdkXuIxu+dPiggvAPP9KaLBZypjMxR5OpGJ+h1SWqyLemP4Ls9wx30w54
> JWSJiJNN9WhzpBCjyqhZfawaDJ3r5h32mEw9ayN1UPJJLjk1Q3kAV/We1rKPBbV0
> fmwK3LfHIk0ZdvCsGR6T0kuipvrlxZuXq6Lub7uY27s9Ufc9Ih5mEjtbjDBzDAHD
> 8sY4lUyYV7e3tnZSu+aM
> =uw3X
> -----END PGP SIGNATURE-----
>
>
More information about the Users
mailing list