IPSec Config for iOS devices

Hi folks,

I'm trying to get a strongswan IPSec config set up so that I can VPN to it from my iPhone. I've been following a few guides, but I'm a little stuck. Basically, I can successfully connect to the VPN and access the Internet, but only if I set 'Forward' to 'Accept' in the Firewall General settings. That's not exactly the most secure configuration, but I can't work out what the right one is.

Would love some help understanding how to configure inter-zone forwarding a bit better, so that I can:

  • Access the Internet from a VPN client
  • Access the LAN from a VPN client

I don't particularly care about accessing a VPN client from the LAN.

Cheers,

Jonathan

/etc/config/firewall:

root@LEDE:~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'

config include
option path '/etc/firewall.user'

config rule
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option name 'IPSec-Allow ESP'

config rule
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option name 'IPSec-Allow-UDP-500'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

config rule
option src 'wan'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
option name 'IPSec-Allow-UDP-4500'

config rule
option src 'wan'
option proto 'ah'
option target 'ACCEPT'
option name 'IPSec-Allow-AH'

config zone
option input 'ACCEPT'
option output 'ACCEPT'
option network 'VPN'
option name 'VPN'
option forward 'ACCEPT'

config forwarding
option dest 'wan'
option src 'VPN'

config rule
option target 'ACCEPT'
option src 'lan'
option dest 'VPN'
option name 'LAN->VPN'

config rule
option target 'ACCEPT'
option src 'VPN'
option dest 'lan'
option name 'VPN->LAN'

config rule
option enabled '1'
option target 'ACCEPT'
option src 'VPN'
option dest 'wan'
option name 'VPN->WAN'

/etc/firewall.user

root@LEDE:~# cat /etc/firewall.user
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT

Hi Jonathan,

I setup Cisco IPSec IKEv1 servers on OpenWRT/LEDE regularly for a "Roadwarrior" style use case such as you. Can I see your ipsec.conf setup?
Are you trying to setup IKEv1 or IKEv2 with certificates?
My setups are designed to be simple XAUTH with username/password/secret, no messing around with certificates. As such, no need for VPN Zone configs as this functionality can be set in strongswan's config.

Cheers,

  • Adam

Hey Adam,

I'm trying to set up IKEv2 with certs, but only because that's what I found. Certs would be ideal.

root@LEDE:~# cat /etc/ipsec.conf 
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
	# uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

conn ios  
         keyexchange=ikev1
         authby=xauthrsasig
         xauth=server
         left=%any
         leftsubnet=0.0.0.0/0
         leftfirewall=yes
         leftcert=serverCert.pem
         right=%any
         rightsubnet=192.168.1.0/24
         rightsourceip=%dhcp
         rightcert=clientCert.pem
         forceencaps=yes
         auto=add

Hi Jonathan,

I used the guide here as a start:

https://zhmail.com/2015/09/15/configuring-ikev1-xauth-psk-in-openwrt1505/

And then here is my ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file                                     
                                                                                       
# basic configuration                                                                  
                                                                                       
config setup                                                                           
        # strictcrlpolicy=yes                                                          
        # uniqueids = no                                                               
                                                                                       
# Add connections here.                                                                
conn %default                                                                          
        ikelifetime=60m                                                                
        keylife=20m                                                                    
        rekeymargin=3m                                                                 
        keyingtries=1                                                                  
                                                                                       
conn roadwarrior                                                                       
        keyexchange=ikev1                                                              
        left=%any                                                                      
        leftid=@LEDE.lan                                                            
        leftdns=8.8.8.8,8.8.4.4                                                        
        leftsubnet=0.0.0.0/0                                                           
        leftauth=psk                                                                   
        leftfirewall=yes                                                               
        lefthostaccess=yes                                                             
        right=%any                                                                     
        rightauth=psk                                                                  
        rightauth2=xauth                                                               
        rightsourceip=192.168.11.0/24                                            
        rightdns=8.8.8.8,8.8.4.4                                                       
        auto=add

My lan is the standard 192.168.1.1/24, so my rightsourceip is another subnet. When an iOS/Android connects it is given an ip within the rightsourceip range, but still has full access to all hosts within the lan and the rightdns gives it internet through Google's DNSs.

@kop, @SineWave I moved this topic to the Network and Wireless Configuration category so more people will see it. Thanks for using LEDE!