IPsec Client Not Working

Hi,
I am trying to setup IPsec client on my OpenWRT router using strongswan. Currently I have tried to set it up but the VPN is working only on the Router. So my devices which are connected to the Router are not connected to the VPN.

When I do ipsec status i get this

root@OpenWrt:/etc/config# ipsec status
Shunted Connections:
lan-passthrough:  10.10.10.0/24 === 10.10.10.0/24 PASS
Security Associations (1 up, 0 connecting):
        test[1]: ESTABLISHED 38 minutes ago, 192.168.42.68[192.168.42.68]...xx.xx.xx.xx[xx.xx.xx.xx]
        test{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c40af730_i c4ebedf6_o
        test{1}:   10.6.yy.yy/32 === 0.0.0.0/0

My ipsec.conf contains this

conn lan-passthrough
    leftsubnet=10.10.10.1/24 # Replace with your LAN subnet
    rightsubnet=10.10.10.1/24 # Replace with your LAN subnet
    authby=never # No authentication necessary
    type=pass # passthrough
    auto=route # no need to ipsec up lan-passthrough

conn test
 left=%defaultroute
 leftsourceip=%config
 leftauth=eap-mschapv2
 eap_identity=username_here
 right=xx.xx.xx.xx
 rightsubnet=0.0.0.0/0
 rightauth=pubkey
 #rightid=%xx.xx.xx.xx
 rightca=/etc/ipsec.d/cacerts/protonvpn.der
 keyexchange=ikev2
 rightfirewall=yes
 type=tunnel
 auto=start

My Router is successfully connected to the VPN Server but unable to Route the Traffic to my devices.

My firewall contains this

config rule 'ike'
	option name 'ike'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '500'

config rule 'ipsec'
	option name 'ipsec'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '4500'

config rule 'ah'
	option name 'ah'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'ah'

config rule 'esp'
	option name 'esp'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'esp'

config forwarding
	option dest 'wan'
	option src 'lan'

I am trying to get this from a month but unable to get it. Please help me out with it.

Which OpenWRT packages did you install?
Maybe I can also try strongSwan with ProtonVPN.

1 Like

@Bernd I have installed the following packages -

strongswan - 5.6.3-3
strongswan-charon - 5.6.3-3
strongswan-charon-cmd - 5.6.3-3
strongswan-full - 5.6.3-3
strongswan-ipsec - 5.6.3-3
strongswan-libtls - 5.6.3-3
strongswan-mod-addrblock - 5.6.3-3
strongswan-mod-aes - 5.6.3-3
strongswan-mod-af-alg - 5.6.3-3
strongswan-mod-agent - 5.6.3-3
strongswan-mod-attr - 5.6.3-3
strongswan-mod-attr-sql - 5.6.3-3
strongswan-mod-blowfish - 5.6.3-3
strongswan-mod-ccm - 5.6.3-3
strongswan-mod-cmac - 5.6.3-3
strongswan-mod-connmark - 5.6.3-3
strongswan-mod-constraints - 5.6.3-3
strongswan-mod-coupling - 5.6.3-3
strongswan-mod-ctr - 5.6.3-3
strongswan-mod-curl - 5.6.3-3
strongswan-mod-curve25519 - 5.6.3-3
strongswan-mod-des - 5.6.3-3
strongswan-mod-dhcp - 5.6.3-3
strongswan-mod-dnskey - 5.6.3-3
strongswan-mod-duplicheck - 5.6.3-3
strongswan-mod-eap-identity - 5.6.3-3
strongswan-mod-eap-md5 - 5.6.3-3
strongswan-mod-eap-mschapv2 - 5.6.3-3
strongswan-mod-eap-radius - 5.6.3-3
strongswan-mod-eap-tls - 5.6.3-3
strongswan-mod-farp - 5.6.3-3
strongswan-mod-fips-prf - 5.6.3-3
strongswan-mod-forecast - 5.6.3-3
strongswan-mod-gcm - 5.6.3-3
strongswan-mod-gcrypt - 5.6.3-3
strongswan-mod-gmp - 5.6.3-3
strongswan-mod-ha - 5.6.3-3
strongswan-mod-hmac - 5.6.3-3
strongswan-mod-kernel-netlink - 5.6.3-3
strongswan-mod-ldap - 5.6.3-3
strongswan-mod-led - 5.6.3-3
strongswan-mod-load-tester - 5.6.3-3
strongswan-mod-md4 - 5.6.3-3
strongswan-mod-md5 - 5.6.3-3
strongswan-mod-mysql - 5.6.3-3
strongswan-mod-nonce - 5.6.3-3
strongswan-mod-openssl - 5.6.3-3
strongswan-mod-pem - 5.6.3-3
strongswan-mod-pgp - 5.6.3-3
strongswan-mod-pkcs1 - 5.6.3-3
strongswan-mod-pkcs11 - 5.6.3-3
strongswan-mod-pkcs12 - 5.6.3-3
strongswan-mod-pkcs7 - 5.6.3-3
strongswan-mod-pkcs8 - 5.6.3-3
strongswan-mod-pubkey - 5.6.3-3
strongswan-mod-random - 5.6.3-3
strongswan-mod-rc2 - 5.6.3-3
strongswan-mod-resolve - 5.6.3-3
strongswan-mod-revocation - 5.6.3-3
strongswan-mod-sha1 - 5.6.3-3
strongswan-mod-sha2 - 5.6.3-3
strongswan-mod-smp - 5.6.3-3
strongswan-mod-socket-default - 5.6.3-3
strongswan-mod-sql - 5.6.3-3
strongswan-mod-sqlite - 5.6.3-3
strongswan-mod-sshkey - 5.6.3-3
strongswan-mod-stroke - 5.6.3-3
strongswan-mod-test-vectors - 5.6.3-3
strongswan-mod-uci - 5.6.3-3
strongswan-mod-unity - 5.6.3-3
strongswan-mod-updown - 5.6.3-3
strongswan-mod-vici - 5.6.3-3
strongswan-mod-whitelist - 5.6.3-3
strongswan-mod-x509 - 5.6.3-3
strongswan-mod-xauth-eap - 5.6.3-3
strongswan-mod-xauth-generic - 5.6.3-3
strongswan-mod-xcbc - 5.6.3-3
strongswan-pki - 5.6.3-3
strongswan-scepclient - 5.6.3-3
strongswan-swanctl - 5.6.3-3
 
kmod-ip6tables - 4.9.184-1
kmod-ipsec - 4.9.184-1
kmod-ipsec4 - 4.9.184-1
kmod-ipsec6 - 4.9.184-1
kmod-ipt-conntrack - 4.9.184-1
kmod-ipt-conntrack-extra - 4.9.184-1
kmod-ipt-core - 4.9.184-1
kmod-ipt-ipsec - 4.9.184-1
kmod-ipt-nat - 4.9.184-1
kmod-iptunnel4 - 4.9.184-1
kmod-iptunnel6 - 4.9.184-1

ip-full - 4.16.0-8
ip-tiny - 4.16.0-8
ip6tables - 1.6.2-1
iptables - 1.6.2-1
iptables-mod-ipsec - 1.6.2-1

Do let me know if you get something, i am trying from a month but no success till now. Thanks

This is a roadwarrior-style configuration with a virtual IP address. Only packets with the 10.6.yy.yy/32 address will be able to pass through the tunnel in either direction. I can see these possible solutions:

  1. Change to a subnet-to-subnet config, if offered by your VPN provider, or if you are operating both VPN gateways yourself.
  2. Make all clients appear under a single IP address to the tunnel (SNAT, maybe also DNAT). Be sure to apply NAT to the plaintext traffic, not ESP, and map to the virtual IP address, not an arbitrary address from one of the router's interfaces. I have not tried this.
2 Likes

Sir, we are really new into this and are not able to achieve this. We are trying from months but unable to get the perfect solution. Sir do you have any documentation or a list of config files that can help us out. We will give you access to 1 month of Premium ProtonVPN membership. Thanks