Dear readers,
I know it's been asked a zillion times because I read ALL threads touching that subject. But I've been trying now for severaly days and I'm running out of ideas.
Setup sounded like more or less "standard" (OpenWRT behind a DSL-Router contacting office network).
home LAN: 10.12.12.0/24 => WAN 192.168.2.118 => Internet => fixed IP 195.14.XXX.XXX => office LAN 192.168.0.0/24
Tunnel is up and running, I can ping from OpenWRT to office LAN. But no traffic gets routed thru from home LAN.
Konfiguration:
/etc/ipsec.conf:
conn Conn1
keyexchange=ikev2
right=195.14.XXX.XXX
rightsubnet=192.168.0.0/24
rightid=@office.domain.com
rightauth=pubkey
leftsourceip=%config
leftid=@private.domain.com
leftsubnet=10.12.12.0/24
leftfirewall=yes
ike=aes256-sha-modp1024
esp=aes256-sha1-modp1024
ikelifetime=4h
keylife=1h
auto=start
type=tunnel
forceencaps=yes
leftauth=eap-mschapv2
eap_identity=private.domain.com
dpdaction=restart
/etc/config/network (only relevant parts)
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.12.12.1'
config interface 'ipsec'
option proto 'none'
option delegate '0'
option ifname 'ipsec0'
config route
option interface 'ipsec'
option target '192.168.0.0'
option netmask '255.255.255.0'
/etc/config/firewall
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT' ## I know.... it's just for testing
option output 'ACCEPT'
option forward 'ACCEPT' ## I know... t's just for testing
option extra_src '-m policy --dir in --pol none'
option extra_dest '-m policy --dir out --pol none'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
option extra_src '-m policy --dir in --pol none'
option extra_dest '-m policy --dir out --pol none'
config zone
option name vpn
list network 'ipsec'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
option subnet 192.168.0.0/24
option extra_src '-m policy --dir in --pol ipsec --proto esp'
option extra_dest '-m policy --dir out --pol ipsec --proto esp'
option mtu_fix 1
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
Routing:
root@OpenWrt:~# ip route show
default via 192.168.2.1 dev eth0.2 proto static src 192.168.2.118
10.12.12.0/24 dev br-lan proto kernel scope link src 10.12.12.1
192.168.0.0/24 dev ipsec0 proto static scope link
192.168.2.0/24 dev eth0.2 proto kernel scope link src 192.168.2.118
root@OpenWrt:~# ip route show table 220
192.168.0.0/24 dev ipsec0 proto static src 10.12.12.1
ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.1, Linux 5.4.89, mips):
uptime: 69 minutes, since Jan 18 22:28:20 2021
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon des sha1 md4 random nonce x509 pem openssl kernel-libipsec kernel-netlink socket-default stroke eap-mschapv2
Listening IP addresses:
10.12.12.1
fdef:7de7:3bb::1
192.168.2.118
2003:dc:6f17:7700:e80:63ff:fe2e:dd93
Connections:
Conn1: %any...195.14.XXX.XXX IKEv2, dpddelay=30s
Conn1: local: [private.domain.com] uses EAP_MSCHAPV2 authentication with EAP identity 'private.domain.com'
Conn1: remote: [office.domain.com] uses public key authentication
Conn1: child: 10.12.12.0/24 === 192.168.0.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
Conn1[1]: ESTABLISHED 69 minutes ago, 192.168.2.118[private.domain.com]...195.14.XXX.XXX[office.domain.com]
Conn1[1]: IKEv2 SPIs: 0d005605c31ea051_i* d7c0992d94cbed9c_r, EAP reauthentication in 2 hours
Conn1[1]: IKE proposal: CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519
Conn1{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: d09eb5f1_i c3bca305_o
Conn1{2}: AES_CBC_256/HMAC_SHA2_256_128, 168 bytes_i (2 pkts, 1129s ago), 168 bytes_o (2 pkts, 1129s ago), rekeying in 17 minutes
Conn1{2}: 10.12.12.0/24 === 192.168.0.0/24
As said, I can ping from OpenWRT to office network.
But pings from home network don't make it to the office router (checked with tcpdump -n -s0 -p -i eth1 esp or udp port 4500, eth1 is outbound interface)
But I can still see them when I insert a LOG rule into OpenWRT's zone_lan_forward rule:
Mon Jan 18 23:29:07 2021 kern.warn kernel: [ 4161.802876] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31590 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=0
Mon Jan 18 23:29:08 2021 kern.warn kernel: [ 4162.807779] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=1326 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=1
Mon Jan 18 23:29:09 2021 kern.warn kernel: [ 4163.808699] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=38685 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=2
Mon Jan 18 23:29:10 2021 kern.warn kernel: [ 4164.823740] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=60992 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=3
Mon Jan 18 23:29:11 2021 kern.warn kernel: [ 4165.815792] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=33133 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=4
Mon Jan 18 23:29:12 2021 kern.warn kernel: [ 4166.820890] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=29882 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=5
10.12.12.218 = Computer on home LAN
192.168.0.254 = Local IP of office endpoint of VPN
Any help is greatly appreciated!
Tino