Hi All, I am trying to get strongswan Ikev1 with PSK + Xauth working as described here:
Yes i know, few of these modules are deplicated and insecure, I have wireguard running but some people find it "too complicated" and want to use IPSEC
The topology is;
Client over ineternet --> Router with NAT (LAN =10.10.9.x) + forwarding UDP 500 & UDP 4500 --> (WAN = 10.10.9.110, LAN = 10.10.10.0/24" OpenWRT with Strongswan IKEv1 configured with PSK + Xauth
ipsec.conf;
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default
ikelifetime=12h
keylife=20m
rekeymargin=3m
keyingtries=1
conn roadwarrior-base
left=%any
leftid=87.200.x.x
leftfirewall=yes
right=%any
rightsourceip=10.10.20.0/24
auto=add
# need keyexchange=ikev1 as Android doesnt support ikev2
# leftsubnet is inside LAN only for split tunnelling
# could change to 0.0.0.0/0 for full tunnel
# could save on data usage and just use local subnet, less secure though
# rightsourceip is the VPN address pool
# 2-step security:
# 1. pre-shared key
# 2. xauth
# use vitual IP address pool to control VPN clients 'rightsourceip'
conn rw-ikev1-psk-xauth-splittun
also=roadwarrior-base
keyexchange=ikev1
leftsubnet=10.10.10.0/24
leftauth=psk
rightauth=psk
rightauth2=xauth
ike=aes256-sha256-modp1024
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
strongswan.conf
charon {
threads = 16
dns1 = 10.10.9.1
nbns1 = 10.10.9.1
}
pluto {
}
librestrongswan {
crypto_test {
on_add =yes
}
}
My client (Android) connects but but can no longer communicate with internet or the remote LAN ( split tunnel enabled )
I get the following system logs:
daemon.info : 14[NET] sending packet: from 10.10.9.110[4500] to 87.200.(188 bytes)
Sun Oct 11 15:19:50 2020 daemon.info : 11[NET] received packet: from 87.200 to 10.10.9.110[4500] (92 bytes)
Sun Oct 11 15:19:50 2020 daemon.info : 11[ENC] parsed QUICK_MODE request 2951298853 [ HASH ]
Sun Oct 11 15:19:50 2020 daemon.info : 11[KNL] received netlink error: Function not implemented (89)
Sun Oct 11 15:19:50 2020 daemon.info : 11[KNL] unable to add SAD entry with SPI cea24de7 (FAILED)
Sun Oct 11 15:19:50 2020 daemon.info : 11[KNL] received netlink error: Function not implemented (89)
Sun Oct 11 15:19:50 2020 daemon.info : 11[KNL] unable to add SAD entry with SPI 0bafb830 (FAILED)
Sun Oct 11 15:19:50 2020 daemon.info : 11[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Sun Oct 11 15:19:50 2020 daemon.info : 11[KNL] deleting policy 10.10.10.129/32 === 10.10.9.0/24 in failed, not found
Sun Oct 11 15:19:50 2020 daemon.info : 11[KNL] deleting policy 10.10.10.129/32 === 10.10.9.0/24 fwd failed, not found
Sun Oct 11 15:19:50 2020 daemon.info : 11[IKE] sending DELETE for ESP CHILD_SA with SPI 0bafb830
Sun Oct 11 15:19:50 2020 daemon.info : 11[ENC] generating INFORMATIONAL_V1 request 2123073077 [ HASH D ]
Sun Oct 11 15:19:50 2020 daemon.info : 11[NET] sending packet: from 10.10.9.110[4500] to 87.200 (92 bytes)
Sun Oct 11 15:20:01 2020 daemon.info : 11[NET] received packet: from 87.200 to 10.10.9.110[4500] (108 bytes)
Sun Oct 11 15:20:01 2020 daemon.info : 11[ENC] parsed INFORMATIONAL_V1 request 2857860082 [ HASH D ]
Sun Oct 11 15:20:01 2020 daemon.info : 11[IKE] received DELETE for ESP CHILD_SA with SPI 0bafb830
Sun Oct 11 15:20:01 2020 daemon.info : 11[IKE] CHILD_SA not found, ignored
Sun Oct 11 15:20:01 2020 daemon.info : 07[NET] received packet: from 87.200 to 10.10.9.110[4500] (124 bytes)
doing a TCPDump i can see the traffic reaches my OpenWRT router;
5:28:30.434492 IP 87.200 > 10.10.9.110.4500: UDP-encap: ESP(spi=0xc762b8f5,seq=0x4c), length 136
15:28:30.479345 IP 87.200 > 10.10.9.110.4500: UDP-encap: ESP(spi=0xc762b8f5,seq=0x4e), length 136
15:28:30.479840 IP 87.200 10.10.9.110.4500: UDP-encap: ESP(spi=0xc762b8f5,seq=0x4d), length 136
15:28:30.480332 IP 87.200 > 10.10.9.110.4500: UDP-encap: ESP(spi=0xc762b8f5,seq=0x4f), length 136
15:28:30.480333 IP 87.200 > 10.10.9.110.4500: UDP-encap: ESP(spi=0xc762b8f5,seq=0x50), length 136
15:28:30.480334 IP 87.200 10.10.9.110.4500: UDP-encap: ESP(spi=0xc762b8f5,seq=0x51), length 136
Connection stays alive but my android client is simply offline while connected
un Oct 11 15:28:45 2020 daemon.info : 08[IKE] sending keep alive to 87.200
Sun Oct 11 15:29:05 2020 daemon.info : 07[IKE] sending keep alive to 87.200
Sun Oct 11 15:29:25 2020 daemon.info : 12[IKE] sending keep alive to 87.200
Sun Oct 11 15:29:45 2020 daemon.info : 10[IKE] sending keep alive to 87.200
Sun Oct 11 15:30:05 2020 daemon.info : 14[IKE] sending keep alive to 87.200
Sun Oct 11 15:30:25 2020 daemon.info : 06[IKE] sending keep alive to 87.200
Sun Oct 11 15:30:45 2020 daemon.info : 14[IKE] sending keep alive to 87.200
Sun Oct 11 15:31:05 2020 daemon.info : 10[IKE] sending keep alive to 87.200
Firewall:
config rule
option src 'wan'
option name 'IPSec ESP'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec IKE'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec NAT-T'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'Auth Header'
option proto 'ah'
option target 'ACCEPT'
I know this must be something simple I am overlooking but can anyone help.
Finally, i tried to install strongswan-mod-kernel-libipsec as I found few similar issues that listed this as a dependancy but get some errors which I have been unable to fix
daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.9.0, Linux 5.4.70, mips)
Sun Oct 11 15:43:43 2020 daemon.info : 00[LIB] curl SSL backend 'wolfSSL/4.5.0' not supported, https:// disabled
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] disabling load-tester plugin, not configured
Sun Oct 11 15:43:43 2020 daemon.info : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Sun Oct 11 15:43:43 2020 daemon.info : 00[LIB] failed to open /dev/net/tun: No such file or directory
Sun Oct 11 15:43:43 2020 daemon.info : 00[KNL] failed to create TUN device
Sun Oct 11 15:43:43 2020 daemon.info : 00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create returned NULL
Sun Oct 11 15:43:43 2020 daemon.info : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found
Sun Oct 11 15:43:43 2020 daemon.info : 00[KNL] unable to create IPv4 routing table rule
Sun Oct 11 15:43:43 2020 daemon.info : 00[KNL] unable to create IPv6 routing table rule
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] attr-sql plugin: database URI not set
Sun Oct 11 15:43:43 2020 daemon.info : 00[NET] using forecast interface wan
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] loaded IKE secret for 87.200.238.220 %any
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] loaded EAP secret for steve@turgeons.com
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] sql plugin: database URI not set
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] loaded 0 RADIUS server configurations
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] HA config misses local/remote address
Sun Oct 11 15:43:43 2020 daemon.info : 00[CFG] coupling file path unspecified
Sun Oct 11 15:43:43 2020 daemon.info : 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Sun Oct 11 15:43:43 2020 daemon.info : 00[JOB] spawning 16 worker threads
Sun Oct 11 15:43:43 2020 daemon.info : 06[DMN] thread 6 received 11
Sun Oct 11 15:43:43 2020 daemon.info : 07[DMN] thread 7 received 11
Sun Oct 11 15:43:43 2020 daemon.info : 06[LIB] no support for capturing backtraces
Sun Oct 11 15:43:43 2020 daemon.info : 05[DMN] thread 5 received 11
Sun Oct 11 15:43:43 2020 daemon.info : 05[LIB] no support for capturing backtraces
Sun Oct 11 15:43:43 2020 daemon.info : 06[DMN] killing ourself, received critical signal
Sun Oct 11 15:43:43 2020 authpriv.info ipsec_starter[4075]: charon (4483) started after 2520 ms
Sun Oct 11 15:43:43 2020 authpriv.info ipsec_starter[4075]: reading stroke response failed
Sun Oct 11 15:43:43 2020 authpriv.info ipsec_starter[4075]: connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
Sun Oct 11 15:43:43 2020 authpriv.info ipsec_starter[4075]: failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Sun Oct 11 15:43:43 2020 authpriv.info ipsec_starter[4075]: charon stopped after 200 ms