I've recently upgraded to OpenWRT and I really like the extra features it brings. However unfortunately I cannot get IKEv2 traffic to my IPsec server (raspberry pi) somehow, while it was working before on a Netgear router with stock firmware. I hope somebody here can help
My setup is as follows:
(client @ WAN) ==> (OpenWRT @ 172.16.0.1) ==> (IPsec server @ 172.16.0.2)
I'm forwarding UDP traffics to ports 4500/500 to the server, as well as the ESP protocol using these 'port forwarding' rules (although ESP is a protocol and hence not a port forward):
config redirect option name 'VPN ESP' option dest_ip '172.16.0.2' option target 'DNAT' option src 'wan' option dest 'lan' option proto 'esp' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'udp' option src_dport '500' option dest_ip '172.16.0.2' option dest_port '500' option name 'isakmp' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'udp' option src_dport '4500' option dest_ip '172.16.0.2' option dest_port '4500' option name 'ipsec-nat-t'
For my IPSec server, I've used these Digitalocean instructions, which worked on my previous router.
I can connect to the IPSec (on my iOS client), and even reach the webserver on the server (172.16.0.2). However, no other traffic gets through.
I've also tried adapting these instructions and other, but to no avail. Also I tried following this strongswan instruction:
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
but I'm not sure if this refers to the IPSec firewall or the router firewall. In any case it doesn't work ;(
I think it has to do with ESP traffic not being handled properly, but I don't know how to fix this. Does anyone know how this should work?