My VPN provider uses these encryption algorithms:
ike=aes256gcm16-prfsha512-prfsha384-prfsha256-curve25519
esp=aes256gcm16-curve25519
But OpenWRT says: received netlink error: Function not implemented (38)
How can I enable these encryption algorithms on OpenWRT?
I can't see any Curve25519 kernel module in the openwrt package table (required for ESP). Curve25519 also doesn't seem to be merged into the vanilla Linux kernel (https://github.com/torvalds/linux).
https://openwrt.org/packages/table/start?dataflt[Name_pkg-dependencies*~]=kmod-crypto
See /proc/crypto for the crypto algorithms currently available to the kernel.
To get a list of packages with further algorithms:
opkg update
opkg list kmod-crypto-*
On OpenWrt, the kernel modules are not included with the kernel, they must be installed as separate packages which are named kmod-*. The question is which module/package is needed.
Since the Asus AC56U has fairly large flash and RAM, you could install kernel module packages liberally until the dependencies are satisfied, then try to find and remove again unneeded module packages.
Another option would be to set up strongswan on a PC, where modules usually come with the Linux kernel package. Once the tunnel is up, check the reference counters in lsmod output and in /proc/crypto to find the module names, then return to OpenWrt and install the required kernel module packages there.
There is no such kernel module because Diffie-Hellman is handled in userspace.
Does esp=aes256gcm16-curve25519 mentioned above make any sense in that case?
esp=...-curve25519 requests Elliptic Curve Diffie-Hellman to be used during the rekeying of the child SA (ESP). Rekeying is performed by the charon daemon using the IKE protocol, then the resulting key is installed into the kernel to take effect for ESP traffic.
Hello.
I got now a connection on Linux Mint with this configuration:
conn PP
keyexchange=ikev2
dpdaction=none
dpddelay=300s
inactivity=36000s
rekey=no
leftsourceip=%config4,%config6
leftsendcert=never
leftauth=eap-mschapv2
rightauth=pubkey
right=amsterdam.perfect-privacy.com
rightid=%any
rightca=/etc/ipsec.d/cacerts/perfect-privacy_ipsec_ca.crt
rightsubnet=0.0.0.0/0,::/0
rightsendcert=always
eap_identity="PPUsername"
type=tunnel
auto=add
The configuration unfortunately does not run on OpenWRT. So I copied some of this thread:
Now I have this configuration and I don't know if I can still optimize it.
/etc/ipsec.conf:
conn lan-passthrough
leftsubnet=192.168.1.0/24 # Replace with your LAN subnet
rightsubnet=192.168.1.0/24 # Replace with your LAN subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
conn PP
keyexchange=ikev2
dpdaction=none
dpddelay=300s
inactivity=36000s
rekey=no
forceencaps=yes
authby=secret
ike=aes256-sha256-modp2048
esp=aes256-sha256
leftfirewall=yes
left=192.168.1.1
leftid=192.168.1.1
leftsourceip=%config4,%config6
leftsendcert=never
leftauth=eap-mschapv2
rightfirewall=yes
rightauth=pubkey
right=amsterdam.perfect-privacy.com
rightid=%any
rightsubnet=0.0.0.0/0,::/0
rightsendcert=always
eap_identity="PPUsername"
type=tunnel
auto=add
/etc/ipsec.user:
case "$PLUTO_VERB" in
up-client)
iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP4_1"
;;
down-client)
iptables -t nat -F postrouting_wan_rule
;;
esac
Why does the configuration work without a certificate? However, this configuration does not work with all websites. Maybe a DNS problem? The DNS servers of the VPN provider are not displayed, but they are displayed by the ISP.
How to use DNS servers from VPN provider with IKEv2 configuration?
Best regards
Bernd
Edit: The option leftdns=%config4,%config4 has no effect. DNS servers are still from ISP.
Is it possible to add these scripts?
When IKEv2 is activated, then this script will be executed:
#!/bin/sh
env | sed -n -e "
/^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p
/^foreign_option_.*=dhcp-option.*DOMAIN/s//domain/p
" | sort -u > /tmp/resolv.conf.vpn
uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn"
/etc/init.d/dnsmasq restart
And when IKEv2 is disabled, then this script will be executed:
#!/bin/sh
uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.auto"
/etc/init.d/dnsmasq restart
Would that work?
Another question:
When I type in puTTY ifconfig, then I don't have an ipsec0 interface.
Then I want to add a KillSwitch with GUI.
I am now able to create an ipsec0 interface.
First add these commands:
ipsec.conf:
mark_in=42
mark_out=42
strongswan.conf:
charon {
install_routes=no
install_virtual_ip=no
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
puTTY:
ip tunnel add ipsec0 local 192.168.1.1 remote <VPN_Server_IP> mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.0.0.0/24 dev ipsec0
ifconfig ipsec0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
Unfortunately these commands cause an IPv6 leak:
install_routes=no
install_virtual_ip=no
Does anyone have any idea how to solve this IPv6 leak?
When I add a KillSwitch to Web UI, like OpenVPN, then it has no effect.
/etc/config/firewall:
config zone
option name 'PP_FW'
option forward 'REJECT'
option output 'ACCEPT'
option network 'IPSEC'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'PP_FW'
option src 'lan'
/etc/config/network:
config interface 'IPSEC'
option proto 'none'
option ifname 'ipsec0'
option auto '1'
Does anyone have any idea what I am doing wrong at KillSwitch?
I have a general question.
Is it possible to get an IPv6 IP with stronSwan IKEv2?
If not, I would like to know how to disable IPv6 in the configuration.
IPv6 can be disabled with the following commands in /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
I have migrated the configuration from ipsec.conf to swanctl.conf.
Does anyone know how to start swanctl.conf at the OpenWrt start?
I only know how to start it manually:
swanctl --load-all
swanctl --initiate --child <name>
Edit:
swanctl.conf can be started with strongswan.conf:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
start-scripts {
load-all = /usr/sbin/swanctl --load-all
}
}
include strongswan.d/*.conf
Hello.
I have added a dropall rule that blocks everything:
connections {
dropall {
children {
dropall {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
priority = 2
mode = drop
start_action = trap
}
}
}
lan-passthrough {
children {
lan-passthrough {
local_ts = 192.168.1.0/24 # Replace with your LAN subnet
remote_ts = 192.168.1.0/24 # Replace with your LAN subnet
priority = 1
mode = pass
start_action = trap
}
}
}
pp {
unique = never
version = 2
keyingtries=0
dpd_delay = 300s
rekey_time = 0
encap = yes
proposals = aes256-sha256-modp2048
vips = 0.0.0.0
send_cert = never
send_certreq = yes
local_addrs = 192.168.1.1 # Replace with your default Router IP address
remote_addrs = <PP Server IP> # Replace with your PP Server IP
local {
id = 192.168.1.1 # Replace with your default Router IP address
auth = eap-mschapv2
eap_id = Username # Replace with your PP-Username
}
remote {
id = %any
auth = pubkey
}
children {
pp {
dpd_action = start
close_action = start
inactivity = 36000s
life_time = 0
esp_proposals = aes256-sha256
updown = /etc/swanctl/updown.sh
remote_ts = 0.0.0.0/0
priority = 1
mode = tunnel
start_action = start # "none" is for manual start, or use "start" for autostart
}
}
}
} # connections
secrets {
eap-user {
id = Username # Replace with your PP-Username
secret = "Password" # Replace with your "PP-Password"
}
} # secrets
Only local subnet 192.168.1.0/24 and remote subnet 192.168.1.0/24 is allowed.
But I need more subnets/IP ranges to let ipsec through.
How can I check on OpenWrt to see what needs to be opened?
Is there something like traffic capture on OpenWrt?
Best regards
Bernd
Bernd,
I see you are working on IKEv2 with ProtonVPN (I saw this on the StrongSwan forum.) I see that there is not much help getting this working and unfortunately, I will be no help at all. In fact, the reason I am replying to this thread is I am in the same boat. I am hoping that you will share your settings with me.
I tried to "pickup" your firewall and interface(?) setup from this post and the other on strongswan, but I have failed.
Will you share with me how to install an interface for the ipsec vpn and then also give me the firewall setup? I think that is my problem (partly at least) as I lose my LAN when I send the "ipsec up server.ip" command.
You also had created a ipsec.user file and some other scripts. Are those needed and if so, will you kindly share those?
Thanks a lot,
8bits
I believe this contains all the relevant setup steps, but they are for an Edge router. Would someone, kindly, reformat the instructions for openwrt?
I don't think it matters, but for future searchers I am using a TP-Link Archer C7 v5 with OpenWrt 19.07.1 r10911-c155900f66.
You still have to adapt ProtonVPN to this configuration, but you can try it. This configuration is without IPv6 and Kill-Switch.
Disable IPv6 in LuCI:
LAN > Advanced > UNCHECK: Use IPv6-management
LAN > DHCP > IPv6 > Disable everything
WAN > Advanced > UNCHECK: Use IPv6-management
WAN6 > Delete
Replace in /etc/config/firewall:
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
with:
config rule
option name 'IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'IPSec-IKE'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'IPSec-NAT-T'
option src 'wan'
option dest_port '4500'
option proto 'udp'
option target 'ACCEPT'
Install packages:
opkg update
opkg install strongswan-full ip-full
Copy with WinSCP or SCP command your certificate to "/etc/ipsec.d/cacerts".
/etc/ipsec.conf:
config setup
charondebug="all"
uniqueids=never
conn lan-passthrough
leftsubnet=192.168.1.0/24 # Replace with your LAN subnet
rightsubnet=192.168.1.0/24 # Replace with your LAN subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
conn ProtonVPN
keyexchange=ikev2
keyingtries=%forever
dpdaction=none
dpddelay=300s
inactivity=36000s
rekey=no
forceencaps=yes
authby=secret
ike=aes256-sha256-modp2048
esp=aes256-sha256
leftfirewall=yes
left=192.168.1.1
leftid=192.168.1.1
leftsourceip=%config4
leftsendcert=never
leftauth=eap-mschapv2
rightfirewall=yes
rightauth=pubkey
right=ProtonVPNServerIP # Replace here ProtonVPNServerIP
rightid=%any
rightsubnet=0.0.0.0/0
rightsendcert=always
eap_identity="ProtonVPNUsername"
type=tunnel
auto=add
/etc/ipsec.user:
case "$PLUTO_VERB" in
up-client)
iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP4_1"
;;
down-client)
iptables -t nat -F postrouting_wan_rule
;;
esac
/etc/ipsec.secrets:
ProtonVPNUsername : EAP "ProtonVPNPassword"
Reboot your router.
Start IPsec with:
ipsec up ProtonVPN
If it works, then replace:
auto=add
in /etc/ipsec.conf with:
auto=start # start is for autostart
Reboot your router and enjoy.
Here is a Kill Switch instruction from @mikma and @mpa, but I had no luck with that.
Maybe you'll be luckier.
Edit:
I have not found a solution to install an IPsec interface. And with no interface, you cannot edit a firewall.
The updown.sh script from your link, uses the VTI interface. It seems that the VTI interface works on EdgeRouter, but not on OpenWrt so far.
So this is a problem of the OpenWrt configuration. Maybe it needs a special routing configuration?
I tried to reformat the instructions for OpenWrt, but without success. I only got RX packets, but no TX packets. See picture:
You or someone else can try to get VTI interface working. Then I can try to create a new updown.sh script.
Here are my last settings:
add to /etc/ipsec.conf:
mark_in=42
mark_out=42
/etc/strongswan.conf:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
install_routes=no
install_virtual_ip=no
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
Terminal:
ip tunnel add ipsec0 local 192.168.1.1 remote <your-server-ip> mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.0.0.0/24 dev ipsec0
/etc/config/network:
config interface 'ipsec'
option proto 'none'
option delegate '0'
option ifname 'ipsec0'
Hello 8bitgigo.
I do not know how to reformat the updown.sh script for ipsec.user file. Therefore you should use swanctl.conf instead of ipsec.conf.
Here is the updown.sh:
#!/bin/sh
set -o nounset
set -o errexit
# Interface
VTI_IFACE="vti0"
case "$PLUTO_VERB" in
up-client)
iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP"
echo "Creating tunnel interface $VTI_IFACE local $PLUTO_ME remote $PLUTO_PEER mode vti"
ip tunnel add "$VTI_IFACE" local "$PLUTO_ME" remote "$PLUTO_PEER" mode vti
echo "Activating tunnel interface $VTI_IFACE"
ip link set "$VTI_IFACE" up
echo "Adding $PLUTO_MY_SOURCEIP to $VTI_IFACE"
ip addr add "$PLUTO_MY_SOURCEIP" dev "$VTI_IFACE"
echo "Disabling IPsec policy (SPD) for $VTI_IFACE"
sysctl -w "net.ipv4.conf.$VTI_IFACE.disable_policy=1"
DEFAULT_ROUTE="$(ip route show default | grep default | awk '{print $3}')"
echo "Identified default route as $DEFAULT_ROUTE"
echo "Adding route: $PLUTO_PEER via $DEFAULT_ROUTE dev $PLUTO_INTERFACE"
ip route add "$PLUTO_PEER" via "$DEFAULT_ROUTE" dev "$PLUTO_INTERFACE"
;;
down-client)
iptables -t nat -F postrouting_wan_rule
echo "Deleting interface $VTI_IFACE"
ip tunnel del "$VTI_IFACE"
echo "Deleting route for $PLUTO_PEER"
ip route del "$PLUTO_PEER"
;;
esac
Here is swanctl.conf:
connections {
lan-passthrough {
children {
lan-passthrough {
local_ts = 192.168.1.0/24 # Replace with your LAN subnet
remote_ts = 192.168.1.0/24 # Replace with your LAN subnet
priority = 1
mode = pass
start_action = trap
}
}
}
ProtonVPN {
unique = never
version = 2
keyingtries=0
dpd_delay = 300s
rekey_time = 0
encap = yes
proposals = aes256-sha256-modp2048
vips = 0.0.0.0
send_cert = never
send_certreq = yes
local_addrs = 192.168.1.1 # Replace with your default Router IP address
remote_addrs = <ProtonVPN Server IP> # Replace with your ProtonVPN Server IP
local {
id = 192.168.1.1 # Replace with your default Router IP address
auth = eap-mschapv2
eap_id = Username # Replace with your ProtonVPN-Username
}
remote {
id = %any
auth = pubkey
}
children {
ProtonVPN {
dpd_action = start
close_action = start
inactivity = 36000s
life_time = 0
esp_proposals = aes256-sha256
updown = /etc/swanctl/updown.sh
remote_ts = 0.0.0.0/0
priority = 1
mode = tunnel
start_action = none # "none" is for manual start, or use "start" for autostart
}
}
}
} # connections
secrets {
eap-user {
id = Username # Replace with your ProtonVPN-Username
secret = "Password" # Replace with your "ProtonVPN-Password"
}
} # secrets
/etc/strongswan.conf:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
install_routes=no
install_virtual_ip=no
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
/etc/config/network:
config interface 'ipsec'
option proto 'none'
option delegate '0'
option ifname 'vti0'
Start the configuration with:
swanctl --load-all
swanctl --initiate --child ProtonVPN
Important: ProtoVPN must also configure VTI on server, otherwise it will not work.
I do not have an account for ProtonVPN. Therefore you have to ask ProtonVPN about VTI and try the configuration.
Hi, Bernd,
I'm Leo come from China, because our GOV we can't vist Internet as wish as you like, but we have other way to do, so I can see you here 
I see your message and you are very professional, but I'm just a new guy come here.
I want to thank you very much if you can give me a hand with StrongSwan on OpenWRT.
Because I try many many days and work hard but still can't connect it success!
I want to setup a l2tp over ipsec client on openwrt use strongswan, I install every thing to a old desktop and it can work well as a router.
My environment is:
1.OpenWrt 19.07.1, r10911-c155900f66
2.Starting strongSwan 5.8.2
3.xl2tpd 1.3.15-2
I setup router as this link:http://villasyslog.net/openwrt-pptp-l2tp-ikev2-setup-strongswan-vpn-client/
But it can't work, so I change some parameter and test again and aging......
Still can't connect so I come here ask for help and show your with detail.
**file1: /etc/ipsec.conf**
basic configuration
config setup
strictcrlpolicy=yes
uniqueids = no
charondebug=all
Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1 (I try ikev2 first but can't work, then I use google that a lot of people use ikev1 for this, but still can't connect)
Sample VPN connections
conn L2TP-PSK
authby=secret
leftauth=psk
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=xx.xx.com (It can't use IP to setup because the server IP change everyday)
rightauth=psk
rightid=xx.xx.com
rightprotoport=17/1701
auto=start
dpddelay=40
dpdtimeout=130
dpdaction=clear
**file2:/etc/ipsec.secrets**
/etc/ipsec.secrets - strongSwan IPsec secrets file
[xx.xx.com](http://xx.xx.com/) : PSK "xxxxxx"
**file3:/etc/xl2tpd/xl2tpd.conf**
[global]
port = 1701
auth file = /etc/xl2tpd/xl2tp-secrets
access control = no
[lac strong-vpn]
lns = xx.xx.com
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
bps = 1000000
**file4:/etc/ppp/options.l2tpd.client**
ipcp-accept-local
ipcp-accept-remote
require-pap (I try to setup in my TPLINK router and I see log is PAP Aut, but it can't show me more for detail)
noccp
noauth
idle 1800
mtu 1400
mru 1400
defaultroute
replacedefaultroute
usepeerdns
debug
connect-delay 5000
name "user"
password "password"
lcp-echo-interval 20
lcp-echo-failure 5
Yes. I wait until my VPN provider enables VTI on test server.