Confusion Regarding Setting Up IKEv2 VPN Service with StrongSwan Using IPsec and Swanctl

adi291 · August 24, 2023, 3:42pm

Confusion Regarding Setting Up IKEv2 VPN Service with StrongSwan Using IPsec and Swanctl

I hope you're all doing well. I'm not very confident in my English skills, so I used GPT for translation. Please forgive me if there are any grammar mistakes.

I'm quite new to OpenWRT, and I'm trying to set up a simple IKEv2 VPN service by following the official documentation and some other resources I've found. My goal is to be able to access my home network from anywhere.
I'm having some problems. When I set up the VPN service using IPsec, everything seems to be working fine, I can access other computers on my home network through the VPN. However, when I attempt to set it up using swanctl, I can access the internet but I can't seem to reach the other computers on my home network.
Although I've achieved my goal by configuring it through IPsec, I still want to know what's missing in the configuration with swanctl.
Thank you, everyone.

The current version being used and the configuration information are as follows:
version: openwrt 22.03.5 ， strongswan 5.9.5-13
package: strongswan-full strongswan-mod-kernel-libipsec kmod-tun

shared configuration

/etc/strongswan.conf

charon {
        dns1 = 192.168.5.1
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'
        option ipv6 '0'

config interface 'lan'                
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '223.5.5.5'
        list dns '119.29.29.29'

config interface 'wan'
        option proto 'pppoe'
        option device 'iptv.1'
        option username 'xxx'
        option password 'xxx'
        option ipv6 'auto'
        option peerdns '0'
        list dns '223.5.5.5'
        list dns '119.29.29.29'

config device
        option type 'bridge'
        option name 'iptv'
        list ports 'eth2'
        list ports 'eth3'

config bridge-vlan
        option device 'iptv'
        option vlan '1'
        list ports 'eth3'

config bridge-vlan
        option device 'iptv'
        option vlan '45'
        option local '0'
        list ports 'eth2'
        list ports 'eth3:t'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule                                     
        option name 'Allow-IPSec-ESP'           
        option src 'wan'                        
        option proto 'esp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ISAKMP'              
        option src 'wan'                        
        option dest_port '500'                  
        option proto 'udp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-IPSec-NAT-T'         
        option src 'wan'                        
        option dest_port '4500'                 
        option proto 'udp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-IPSec-Auth-Header'   
        option src 'wan'                        
        option proto 'ah'                       
        option target 'ACCEPT'

ipsec

/etc/config/network

config interface 'ipsec'                       
        option device 'ipsec0'
        option proto 'none'
        option defaultroute '0'
        option peerdns '0'  
        option ipv6 '0'

/etc/config/firewall

config zone                                     
        option name 'vpn'                       
        list network 'ipsec'                    
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'ACCEPT'                 
        option masq '1'                         
        option mtu_fix '1'                      
                                                
config forwarding                               
        option src 'vpn'                        
        option dest 'lan'                       
                                                
config forwarding                               
        option src 'lan'                        
        option dest 'vpn'                       
                                                
config forwarding                               
        option src 'vpn'                        
        option dest 'wan'

/etc/ipsec.conf

config setup

conn %default
        keyexchange=ikev2
        ike=aes256-aes128-sha1-sha256-modp2048-modp3072
        esp=aes128-aes256-sha256-modp3072-modp2048,aes128-aes256-sha256
        left=%any
        leftauth=pubkey
        leftid=ddns.adi291.com
        leftsubnet=0.0.0.0/0;::/0
        leftcert=serverCert_ddns.adi291.com.pem
        leftsendcert=always
        right=%any
        rightsourceip=192.168.5.160/29
        rightdns=192.168.5.1
        eap_identity=%identity
        auto=add

conn rwPUBKEY
        rightauth=pubkey
        rightcert=clientCert_Adi.pem

/etc/ipsec.secrets

: RSA serverKey_ddns.adi291.com.pem

swanctl

/etc/swanctl/common.conf

local_addrs  = 0.0.0.0/0,::/0
remote_addrs = 0.0.0.0/0,::/0
local {
        auth = pubkey
        certs = serverCert_ddns.adi291.com.pem
        id = ddns.adi291.com
}
children {
        ikev2clients {
                local_ts  = 0.0.0.0/0;::/0
                esp_proposals = default
        }
}
pools = strongswanippool
unique = never
version = 2
proposals = default

/etc/swanctl/swanctl.conf

connections {
        rw-pubkey {
                include ./common.conf
                remote-pubkey {
                        auth = pubkey
                        certs = clientCert_Adi.pem
                }
                send_certreq = no
        }
}

secrets {
        rsa- {
                filename="serverKey_ddns.adi291.com.pem"
        }
}

pools {
        strongswanippool {
                addrs = 192.168.5.160-192.168.5.166
                #dns = 192.168.5.1
        }
}

include conf.d/*.conf

include /var/swanctl/swanctl.conf

/etc/config/firewall

config rule                    
        option name 'AllowIPsec2WAN'
        list proto 'all'       
        option src 'wan'             
        option dest 'wan'  
        option target 'ACCEPT'   
        option enabled '0'

slh · August 24, 2023, 10:23pm

Do you have a particular reason to prefer IKEv2 over (e.g.) wireguard? While there's nothing wrong about strongswan and IKEv2, wireguard tends to to be easier to set up and operate - so if you don't need to integrate into an existing VPN or have other reasons to use it, wireguard might be easier (if so, start fresh, reset and configure wireguard).

--
CA and certificate handling for IPsec or OpenVPN is not trivial, wireguard's public-/ private key handling is a lot easier for reasonably small deployments.

adi291 · August 25, 2023, 6:09am

Because I'd prefer not to use extra client software. maybe in the future I'll try using WireGuard, could you recommend some links with guides on how to use it? Thank you so much.

timur.davletshin · August 25, 2023, 6:57am

Drop it, use libreswan. It is much easier to set up. Use official documentation from https://libreswan.org/wiki/Configuration_examples

StrongSWAN documentation from OpenWRT is a bit confusing. It should be devided into two StrongSWAN before 22.03 and StrongSWAN 22.03+ just for the sake of convenience.

timur.davletshin · August 25, 2023, 7:04am

Use PSK+XAUTH, it is the same level of complexity as Wireguard. The only thing which WG provides in extra is QR code... which doesn't work (in OpenWRT) as intended to be.

adi291 · August 25, 2023, 7:47am

The official article mentions that libreswan is no longer supported and cannot be installed after 19.07.9.
libreswan vpn

timur.davletshin · August 25, 2023, 8:05am

Documentation is old...

opkg list | grep libreswan

adi291 · August 25, 2023, 10:51am

Thanks! Well, I suppose I placed too much trust in the accuracy of the official documentation...

However, at the moment, I've successfully set up the VPN service using StrongSwan's IPsec, and everything is functioning well. The issue arises when I try to configure it using swanctl. I'm still eager to find out the underlying reasons for this inconsistency.