22.03 StrongSwan IKEv2 Firewall/Interface Setup

I'm totally lost by the many options one has (VTI, XFRM, policy based vs. route based, and so on) while trying to set up a road warrior setup with strongswan.

I basically followed this guide https://openwrt.org/docs/guide-user/services/vpn/strongswan/roadwarrior to do the setup. The ipsec connection is working but I have no idea how to forward the traffic to my LAN. The guide gives no clue on how the traffic is handled.

I read Traffic is dropped for IPsec with firewall4 but it is unclear for me, why a bridge with a vlan interface needs to be set up pointing to the WAN interface. So I do not want to follow it blindly.

Then I read about route based solutions here https://docs.strongswan.org/docs/5.9/features/routeBasedVpn.html#_xfrm_interfaces_on_linux and wonder if a VTI or XFRM device would be the solution but I cannot find any suitable documentation on those topics either. Is xfrm even a requirement because it was not installed with strongswan-full.

root@router:~# ip xfrm state
Object "xfrm" is unknown, try "ip help".

Any help is highly appreciated!

Wireguard tends to be significantly easier to set up (it's been a while since I used strongswan, and it has seen considerable changes in terms of service startup and process supervisions recently).

1 Like

This may be necessary because the other end is a corporate appliance etc. that only supports IPSec.

VTI is deprecated in favor of XFRM, so use XFRM for a routed configuration. The xfrm package is necessary. The default ip-tiny utility does not fully support XFRM. It can be replaced with ip-full though that is not necessary to run an xfrm IPSec.

The xfrm tunnel must be created separately in /etc/config/network. The link between the XFRM interface and the IPSec tunnel is the ifid number, which can be any 32 bit number but must match in both configurations.

config interface 'xfrm0'
        option ifid '301'
        option tunlink 'loopback'
        option mtu '1438'
        option proto 'xfrm'

config interface 'xfrm0_s'
        option ifname '@xfrm0'
        option proto 'static'
        option ipaddr ''

Here the tunnel is given an IP address, which is useful for initial testing to ping to the other side (assuming it is configured with an IP address and answers pings). The routed configuration works like other layer 3 VPNs like Wireguard or OpenVPN-- the tunnel interface would be attached to a firewall zone, and static routes declared to reach LANs on the other side.

In order to make the tunnel the default route for all Internet usage, a strongswan "up" script is needed to install those routes, including a "hole punch" exception so that the encrypted packets to the VPN server go through the regular WAN.

Thanks @mk24 for the insights! I guess that was the missing puzzle piece.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.