I'm trying to replace an ipfire based router by an openwrt based.
Since my friend is running a small business the router has to be changed with 1:1 functionality plus addons. OpenVPN is installed to connect a roadwarrior to his local network. To do his real work they are connected via IPSEC to another company.
It is required, that a roadwarrior connected via OpenVPN can use this IPSEC connection too.
Until now I got OpenVPN and WireGuard running on OpenWrt as VPN solutions for the roadwarriors.
Next step is to get the IPSEC connection running. One problem is, that I did not get any information from the company who runs the IPSEC server. They only want to sell a closed source appliance. And I'm a IPSEC noob
Actually the connection from ipfire based router to the ipsec server is running fine. I hope that I can transfer the connection settings to OpenWrt.
Here is the config fire of ipfire:
found a ipsec.secrets file too 188.8.131.52 184.108.40.206 : PSK '0........L='
Of course I have replaced the real values with this ones ... local network: 192.168.4.0/24 openvpn network: 10.168.4.0/24 remote server side network: 220.127.116.11/29 public ip ipsec server side: 18.104.22.168 public ip my side: 22.214.171.124
When looking in the OpenWrt wiki I found a Site-to-Site sample. But the configuration looks complete different. And I did not know how to convert parms
Found another HowTo for IKEV1
This seems to be much closer to the ipfire configuration. But questions over questions ...
Can I use this one with a actual snapshot?
Where to find info about different parms? i.e. "left=%defaultroute"
Are really all packages reqired? I.E. strongswan-mod-blowfish because my config shows AES
IPFire 2.7 and later indeed use strongSwan.
Search for the cisco_unity option in /etc/strongswan.conf or under /etc/strongswan.d/. If it is set to yes, you need to replicate this, and also any other options which were changed from their default.
I suggest to look at the output of ipsec statusall now and after the upgrade, and check for differences, especially in the tunneled subnets.
In the ipsec.conf manpage or the strongSwan wiki (same link as above).
I changed my configuration to use %any (the default).
did not find any time the last days, to do more investigation.
I did a ipsec statusall on the ipfire machine but hrere is no hint to Cicso Extensions.
I remember it was nesserary to add the second "left subnet value" to allow users connected via openvpn to ipfire to use the ipsec connection too.
Before that it, only users from local lan are allowed.
Found that there is a additional ip in statusall.
192.168.14.10 is the routers wan interface
In difference to the strongSwan sample, all my roadwarriors are connected via openvpn.
And on ipfire it was necessary to add an iptables entry to allow these roadwarriors to access the ipsec network. Nothing more ...