i have already read this document https://openwrt.org/docs/guide-user/services/vpn/pseudowire but seems like this document is incomplete.
Overview: I have successfully established IPsec Site-To-Site VPN between two OpenWRT routers and also able to ping the remote lan.
Ipsec Output:
ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.171, x86_64):
uptime: 5 minutes, since Jun 20 13:43:46 2020
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
192.168.111.10
192.168.0.144
Connections:
to-secondary: 192.168.0.144...192.168.0.145 IKEv1
to-secondary: local: [192.168.0.144] uses pre-shared key authentication
to-secondary: remote: [192.168.0.145] uses pre-shared key authentication
to-secondary: child: 192.168.111.0/24 === 192.168.107.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
to-secondary[2]: ESTABLISHED 5 minutes ago, 192.168.0.144[192.168.0.144]...192.168.0.145[192.168.0.145]
to-secondary[2]: IKEv1 SPIs: 5afe72578b4a5098_i 36255c29c6547e64_r*, pre-shared key reauthentication in 2 hours
to-secondary[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
to-secondary{1}: REKEYED, TUNNEL, reqid 1, expires in 54 minutes
to-secondary{1}: 192.168.111.0/24 === 192.168.107.0/24
to-secondary{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2fe688e_i c76663ee_o
to-secondary{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 39 minutes
to-secondary{2}: 192.168.111.0/24 === 192.168.107.0/24
IPsec File of R1:
cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn to-secondary
type=tunnel
left=192.168.0.144
leftnexthop=192.168.0.1
# leftsourceip=10.10.10.1
leftsubnet=192.168.111.0/24
right=192.168.0.145
rightnexthop=192.168.0.1
# rightsourceip=10.10.10.2
rightsubnet=192.168.107.0/24
authby=psk
auto=start
ike=aes128-sha-modp1024
esp=aes128-sha1
route=auto
keyexchange=ikev1
IPsec File of R2:
cat /etc/ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn to-primary
type=tunnel
left=192.168.0.145
leftnexthop=192.168.0.1
# leftsourceip=10.10.10.2
leftsubnet=192.168.107.0/24
right=192.168.0.144
rightnexthop=192.168.0.1
# rightsourceip=10.10.10.1
rightsubnet=192.168.111.0/24
authby=psk
auto=start
ike=aes128-sha-modp1024
esp=aes128-sha1
route=auto
keyexchange=ikev2
Problem: Now how to establish pseudowire between two routers using ipsec tunnel ?