IPsec Client Not Working

asitjoshi · July 25, 2019, 8:48pm

Hi,
I am trying to setup IPsec client on my OpenWRT router using strongswan. Currently I have tried to set it up but the VPN is working only on the Router. So my devices which are connected to the Router are not connected to the VPN.

When I do ipsec status i get this

root@OpenWrt:/etc/config# ipsec status
Shunted Connections:
lan-passthrough:  10.10.10.0/24 === 10.10.10.0/24 PASS
Security Associations (1 up, 0 connecting):
        test[1]: ESTABLISHED 38 minutes ago, 192.168.42.68[192.168.42.68]...xx.xx.xx.xx[xx.xx.xx.xx]
        test{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c40af730_i c4ebedf6_o
        test{1}:   10.6.yy.yy/32 === 0.0.0.0/0

My ipsec.conf contains this

conn lan-passthrough
    leftsubnet=10.10.10.1/24 # Replace with your LAN subnet
    rightsubnet=10.10.10.1/24 # Replace with your LAN subnet
    authby=never # No authentication necessary
    type=pass # passthrough
    auto=route # no need to ipsec up lan-passthrough

conn test
 left=%defaultroute
 leftsourceip=%config
 leftauth=eap-mschapv2
 eap_identity=username_here
 right=xx.xx.xx.xx
 rightsubnet=0.0.0.0/0
 rightauth=pubkey
 #rightid=%xx.xx.xx.xx
 rightca=/etc/ipsec.d/cacerts/protonvpn.der
 keyexchange=ikev2
 rightfirewall=yes
 type=tunnel
 auto=start

My Router is successfully connected to the VPN Server but unable to Route the Traffic to my devices.

My firewall contains this

config rule 'ike'
	option name 'ike'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '500'

config rule 'ipsec'
	option name 'ipsec'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '4500'

config rule 'ah'
	option name 'ah'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'ah'

config rule 'esp'
	option name 'esp'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'esp'

config forwarding
	option dest 'wan'
	option src 'lan'

I am trying to get this from a month but unable to get it. Please help me out with it.

Bernd · July 26, 2019, 6:59am

Which OpenWRT packages did you install?
Maybe I can also try strongSwan with ProtonVPN.

asitjoshi · July 26, 2019, 8:57am

@Bernd I have installed the following packages -

strongswan - 5.6.3-3
strongswan-charon - 5.6.3-3
strongswan-charon-cmd - 5.6.3-3
strongswan-full - 5.6.3-3
strongswan-ipsec - 5.6.3-3
strongswan-libtls - 5.6.3-3
strongswan-mod-addrblock - 5.6.3-3
strongswan-mod-aes - 5.6.3-3
strongswan-mod-af-alg - 5.6.3-3
strongswan-mod-agent - 5.6.3-3
strongswan-mod-attr - 5.6.3-3
strongswan-mod-attr-sql - 5.6.3-3
strongswan-mod-blowfish - 5.6.3-3
strongswan-mod-ccm - 5.6.3-3
strongswan-mod-cmac - 5.6.3-3
strongswan-mod-connmark - 5.6.3-3
strongswan-mod-constraints - 5.6.3-3
strongswan-mod-coupling - 5.6.3-3
strongswan-mod-ctr - 5.6.3-3
strongswan-mod-curl - 5.6.3-3
strongswan-mod-curve25519 - 5.6.3-3
strongswan-mod-des - 5.6.3-3
strongswan-mod-dhcp - 5.6.3-3
strongswan-mod-dnskey - 5.6.3-3
strongswan-mod-duplicheck - 5.6.3-3
strongswan-mod-eap-identity - 5.6.3-3
strongswan-mod-eap-md5 - 5.6.3-3
strongswan-mod-eap-mschapv2 - 5.6.3-3
strongswan-mod-eap-radius - 5.6.3-3
strongswan-mod-eap-tls - 5.6.3-3
strongswan-mod-farp - 5.6.3-3
strongswan-mod-fips-prf - 5.6.3-3
strongswan-mod-forecast - 5.6.3-3
strongswan-mod-gcm - 5.6.3-3
strongswan-mod-gcrypt - 5.6.3-3
strongswan-mod-gmp - 5.6.3-3
strongswan-mod-ha - 5.6.3-3
strongswan-mod-hmac - 5.6.3-3
strongswan-mod-kernel-netlink - 5.6.3-3
strongswan-mod-ldap - 5.6.3-3
strongswan-mod-led - 5.6.3-3
strongswan-mod-load-tester - 5.6.3-3
strongswan-mod-md4 - 5.6.3-3
strongswan-mod-md5 - 5.6.3-3
strongswan-mod-mysql - 5.6.3-3
strongswan-mod-nonce - 5.6.3-3
strongswan-mod-openssl - 5.6.3-3
strongswan-mod-pem - 5.6.3-3
strongswan-mod-pgp - 5.6.3-3
strongswan-mod-pkcs1 - 5.6.3-3
strongswan-mod-pkcs11 - 5.6.3-3
strongswan-mod-pkcs12 - 5.6.3-3
strongswan-mod-pkcs7 - 5.6.3-3
strongswan-mod-pkcs8 - 5.6.3-3
strongswan-mod-pubkey - 5.6.3-3
strongswan-mod-random - 5.6.3-3
strongswan-mod-rc2 - 5.6.3-3
strongswan-mod-resolve - 5.6.3-3
strongswan-mod-revocation - 5.6.3-3
strongswan-mod-sha1 - 5.6.3-3
strongswan-mod-sha2 - 5.6.3-3
strongswan-mod-smp - 5.6.3-3
strongswan-mod-socket-default - 5.6.3-3
strongswan-mod-sql - 5.6.3-3
strongswan-mod-sqlite - 5.6.3-3
strongswan-mod-sshkey - 5.6.3-3
strongswan-mod-stroke - 5.6.3-3
strongswan-mod-test-vectors - 5.6.3-3
strongswan-mod-uci - 5.6.3-3
strongswan-mod-unity - 5.6.3-3
strongswan-mod-updown - 5.6.3-3
strongswan-mod-vici - 5.6.3-3
strongswan-mod-whitelist - 5.6.3-3
strongswan-mod-x509 - 5.6.3-3
strongswan-mod-xauth-eap - 5.6.3-3
strongswan-mod-xauth-generic - 5.6.3-3
strongswan-mod-xcbc - 5.6.3-3
strongswan-pki - 5.6.3-3
strongswan-scepclient - 5.6.3-3
strongswan-swanctl - 5.6.3-3
 
kmod-ip6tables - 4.9.184-1
kmod-ipsec - 4.9.184-1
kmod-ipsec4 - 4.9.184-1
kmod-ipsec6 - 4.9.184-1
kmod-ipt-conntrack - 4.9.184-1
kmod-ipt-conntrack-extra - 4.9.184-1
kmod-ipt-core - 4.9.184-1
kmod-ipt-ipsec - 4.9.184-1
kmod-ipt-nat - 4.9.184-1
kmod-iptunnel4 - 4.9.184-1
kmod-iptunnel6 - 4.9.184-1

ip-full - 4.16.0-8
ip-tiny - 4.16.0-8
ip6tables - 1.6.2-1
iptables - 1.6.2-1
iptables-mod-ipsec - 1.6.2-1

Do let me know if you get something, i am trying from a month but no success till now. Thanks

mpa · September 9, 2019, 1:14pm

This is a roadwarrior-style configuration with a virtual IP address. Only packets with the 10.6.yy.yy/32 address will be able to pass through the tunnel in either direction. I can see these possible solutions:

Change to a subnet-to-subnet config, if offered by your VPN provider, or if you are operating both VPN gateways yourself.
Make all clients appear under a single IP address to the tunnel (SNAT, maybe also DNAT). Be sure to apply NAT to the plaintext traffic, not ESP, and map to the virtual IP address, not an arbitrary address from one of the router's interfaces. I have not tried this.

asitjoshi · September 12, 2019, 5:04am

Sir, we are really new into this and are not able to achieve this. We are trying from months but unable to get the perfect solution. Sir do you have any documentation or a list of config files that can help us out. We will give you access to 1 month of Premium ProtonVPN membership. Thanks

mangod · January 30, 2020, 7:19am

I'm facing exactly same issue. I have administrator permissions on both server and client. Strongswan gateway (configured with Virtual IP pool feature) is behind NAT, the same as Strongswan clinet (also Nat'ed) ran on OpenWRT. The problem is that I can route all the traffic on OpenWRT only, in addition when firewall is disabled at all. If the firewall is enabled on OpenWRT the traffic goes through default gateway (from my ISP) rather than IPsec tunnel. The main issue is that it doesn't work for LAN clients connected to OpenWRT. I tried to set up SNAT on OpenWRT where the source address is my LAN network and the ip address for SNAT is the right one I got from IPsec pool but no luck. Will be really appreciated if someone could share with the experience how to set up Strongswan as client on OpenWRT, especially the firewall part.

PS. I'm able to set up the tunnel without any issues.

mpa · January 30, 2020, 12:09pm

This can work, but is complicated, see the backlink under my previous post above.

Since you are the administrator of both IPsec gateways, I would recommend a site-to-site configuration instead (both left- and rightsubnet, but no virtual IP address). In this case, make sure NAT is not applied to tunneled traffic.

mangod · January 30, 2020, 6:16pm

The thing is that server is hosted on Amazon AWS EC2 instance where you get private ip address by default and its NAT'ed to Public IP by Amazon. So this piece of setup is out of my control. The VPN is used for me as a gateway to the Internet, in this case I can't use site-to-site scenario I guess.