IPSec IKEv2 Client to VPN service

I have a general question.

Is it possible to get an IPv6 IP with stronSwan IKEv2?

If not, I would like to know how to disable IPv6 in the configuration.

IPv6 can be disabled with the following commands in /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

I have migrated the configuration from ipsec.conf to swanctl.conf.

Does anyone know how to start swanctl.conf at the OpenWrt start?

I only know how to start it manually:

swanctl --load-all
swanctl --initiate --child <name>

Edit:
swanctl.conf can be started with strongswan.conf:

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
    start-scripts {
        load-all = /usr/sbin/swanctl --load-all
    } 
}

include strongswan.d/*.conf

Hello.

I have added a dropall rule that blocks everything:

connections {
    dropall {
        children {
            dropall {
                local_ts = 0.0.0.0/0
                remote_ts = 0.0.0.0/0
                priority = 2
                mode = drop
                start_action = trap
            }
        }
    }
    lan-passthrough {
        children {
            lan-passthrough {
                local_ts = 192.168.1.0/24 # Replace with your LAN subnet
                remote_ts = 192.168.1.0/24 # Replace with your LAN subnet
                priority = 1
                mode = pass
                start_action = trap
            }
        }
    }
    pp {
        unique = never
        version = 2
        keyingtries=0
        dpd_delay = 300s
        rekey_time = 0
        encap = yes
        proposals = aes256-sha256-modp2048
        vips = 0.0.0.0
        send_cert = never
        send_certreq = yes
        local_addrs = 192.168.1.1 # Replace with your default Router IP address
        remote_addrs = <PP Server IP> # Replace with your PP Server IP

        local {
            id = 192.168.1.1 # Replace with your default Router IP address
            auth = eap-mschapv2
            eap_id = Username # Replace with your PP-Username
        }
        remote {
            id = %any
            auth = pubkey
        }
        children {
            pp {
                dpd_action = start
                close_action = start
                inactivity = 36000s
                life_time = 0
                esp_proposals = aes256-sha256
                updown = /etc/swanctl/updown.sh
                remote_ts = 0.0.0.0/0
                priority = 1
                mode = tunnel
                start_action = start # "none" is for manual start, or use "start" for autostart
            }
        }
    }
} # connections
secrets {
    eap-user {
        id = Username # Replace with your PP-Username
        secret = "Password" # Replace with your "PP-Password" 
    }
} # secrets

Only local subnet 192.168.1.0/24 and remote subnet 192.168.1.0/24 is allowed.

But I need more subnets/IP ranges to let ipsec through.

How can I check on OpenWrt to see what needs to be opened?

Is there something like traffic capture on OpenWrt?

Best regards

Bernd

Bernd,

I see you are working on IKEv2 with ProtonVPN (I saw this on the StrongSwan forum.) I see that there is not much help getting this working and unfortunately, I will be no help at all. In fact, the reason I am replying to this thread is I am in the same boat. I am hoping that you will share your settings with me.

I tried to "pickup" your firewall and interface(?) setup from this post and the other on strongswan, but I have failed.

Will you share with me how to install an interface for the ipsec vpn and then also give me the firewall setup? I think that is my problem (partly at least) as I lose my LAN when I send the "ipsec up server.ip" command.

You also had created a ipsec.user file and some other scripts. Are those needed and if so, will you kindly share those?

Thanks a lot,

8bits

I found this: https://community.ui.com/questions/TUTORIAL-ProtonVPN-IKEv2-client-configuration-for-EdgeRouter/c2b64fa4-9eac-4aa4-b854-9ec9949a7e11

I believe this contains all the relevant setup steps, but they are for an Edge router. Would someone, kindly, reformat the instructions for openwrt?

I don't think it matters, but for future searchers I am using a TP-Link Archer C7 v5 with OpenWrt 19.07.1 r10911-c155900f66.

You still have to adapt ProtonVPN to this configuration, but you can try it. This configuration is without IPv6 and Kill-Switch.

Disable IPv6 in LuCI:

LAN > Advanced > UNCHECK: Use IPv6-management
LAN > DHCP > IPv6 > Disable everything
WAN > Advanced > UNCHECK: Use IPv6-management
WAN6 > Delete

Replace in /etc/config/firewall:

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

with:

config rule
	option name 'IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'IPSec-IKE'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'IPSec-NAT-T'
	option src 'wan'
	option dest_port '4500'
	option proto 'udp'
	option target 'ACCEPT'

Install packages:

opkg update
opkg install strongswan-full ip-full

Copy with WinSCP or SCP command your certificate to "/etc/ipsec.d/cacerts".

/etc/ipsec.conf:

config setup
	charondebug="all"
	uniqueids=never

conn lan-passthrough
        leftsubnet=192.168.1.0/24 # Replace with your LAN subnet
        rightsubnet=192.168.1.0/24 # Replace with your LAN subnet
        authby=never # No authentication necessary
        type=pass # passthrough
        auto=route # no need to ipsec up lan-passthrough

conn ProtonVPN
        keyexchange=ikev2
        keyingtries=%forever
        dpdaction=none
        dpddelay=300s
        inactivity=36000s
        rekey=no
	forceencaps=yes
	authby=secret
	ike=aes256-sha256-modp2048
	esp=aes256-sha256
	leftfirewall=yes
	left=192.168.1.1
	leftid=192.168.1.1 
	leftsourceip=%config4
      	leftsendcert=never
        leftauth=eap-mschapv2
	rightfirewall=yes
        rightauth=pubkey
	right=ProtonVPNServerIP # Replace here ProtonVPNServerIP
	rightid=%any
        rightsubnet=0.0.0.0/0
    	rightsendcert=always
	eap_identity="ProtonVPNUsername"
	type=tunnel
        auto=add

/etc/ipsec.user:

case "$PLUTO_VERB" in
up-client)
        iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP4_1"
        ;;
down-client)
        iptables -t nat -F postrouting_wan_rule
        ;;
esac

/etc/ipsec.secrets:
ProtonVPNUsername : EAP "ProtonVPNPassword"

Reboot your router.

Start IPsec with:

ipsec up ProtonVPN

If it works, then replace:

auto=add

in /etc/ipsec.conf with:

auto=start # start is for autostart

Reboot your router and enjoy.

Here is a Kill Switch instruction from @mikma and @mpa, but I had no luck with that.

Maybe you'll be luckier.

Edit:

I have not found a solution to install an IPsec interface. And with no interface, you cannot edit a firewall.

The updown.sh script from your link, uses the VTI interface. It seems that the VTI interface works on EdgeRouter, but not on OpenWrt so far.
So this is a problem of the OpenWrt configuration. Maybe it needs a special routing configuration?

I tried to reformat the instructions for OpenWrt, but without success. I only got RX packets, but no TX packets. See picture:

You or someone else can try to get VTI interface working. Then I can try to create a new updown.sh script.

Here are my last settings:

add to /etc/ipsec.conf:

        mark_in=42
        mark_out=42

/etc/strongswan.conf:

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        install_routes=no
        install_virtual_ip=no

        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

Terminal:

ip tunnel add ipsec0 local 192.168.1.1 remote <your-server-ip> mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.0.0.0/24 dev ipsec0

/etc/config/network:

config interface 'ipsec'
	option proto 'none'
	option delegate '0'
	option ifname 'ipsec0'

Hello 8bitgigo.

I do not know how to reformat the updown.sh script for ipsec.user file. Therefore you should use swanctl.conf instead of ipsec.conf.

Here is the updown.sh:

#!/bin/sh
set -o nounset
set -o errexit

# Interface
VTI_IFACE="vti0"

case "$PLUTO_VERB" in
up-client)
	iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP"
	
	echo "Creating tunnel interface $VTI_IFACE local $PLUTO_ME remote $PLUTO_PEER mode vti"
	ip tunnel add "$VTI_IFACE" local "$PLUTO_ME" remote "$PLUTO_PEER" mode vti
	echo "Activating tunnel interface $VTI_IFACE"
	ip link set "$VTI_IFACE" up

	echo "Adding $PLUTO_MY_SOURCEIP to $VTI_IFACE"
	ip addr add "$PLUTO_MY_SOURCEIP" dev "$VTI_IFACE"

	echo "Disabling IPsec policy (SPD) for $VTI_IFACE"
	sysctl -w "net.ipv4.conf.$VTI_IFACE.disable_policy=1"

	DEFAULT_ROUTE="$(ip route show default | grep default | awk '{print $3}')"
	echo "Identified default route as $DEFAULT_ROUTE"
	echo "Adding route: $PLUTO_PEER via $DEFAULT_ROUTE dev $PLUTO_INTERFACE"
	ip route add "$PLUTO_PEER" via "$DEFAULT_ROUTE" dev "$PLUTO_INTERFACE"
	;;
down-client)
	iptables -t nat -F postrouting_wan_rule

	echo "Deleting interface $VTI_IFACE"
	ip tunnel del "$VTI_IFACE"

	echo "Deleting route for $PLUTO_PEER"
	ip route del "$PLUTO_PEER"
	;;
esac

Here is swanctl.conf:

connections {
    lan-passthrough {
        children {
            lan-passthrough {
                local_ts = 192.168.1.0/24 # Replace with your LAN subnet
                remote_ts = 192.168.1.0/24 # Replace with your LAN subnet
                priority = 1
                mode = pass
                start_action = trap
            }
        }
    }
    ProtonVPN {
        unique = never
        version = 2
        keyingtries=0
        dpd_delay = 300s
        rekey_time = 0
        encap = yes
        proposals = aes256-sha256-modp2048
        vips = 0.0.0.0
        send_cert = never
        send_certreq = yes
        local_addrs = 192.168.1.1 # Replace with your default Router IP address
        remote_addrs = <ProtonVPN Server IP> # Replace with your ProtonVPN Server IP

        local {
            id = 192.168.1.1 # Replace with your default Router IP address
            auth = eap-mschapv2
            eap_id = Username # Replace with your ProtonVPN-Username
        }
        remote {
            id = %any
            auth = pubkey
        }
        children {
            ProtonVPN {
                dpd_action = start
                close_action = start
                inactivity = 36000s
                life_time = 0
                esp_proposals = aes256-sha256
                updown = /etc/swanctl/updown.sh
                remote_ts = 0.0.0.0/0
                priority = 1
                mode = tunnel
                start_action = none # "none" is for manual start, or use "start" for autostart
            }
        }
    }
} # connections
secrets {
    eap-user {
        id = Username # Replace with your ProtonVPN-Username
        secret = "Password" # Replace with your "ProtonVPN-Password" 
    }
} # secrets

/etc/strongswan.conf:

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        install_routes=no
        install_virtual_ip=no

        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

/etc/config/network:

config interface 'ipsec'
	option proto 'none'
	option delegate '0'
	option ifname 'vti0'

Start the configuration with:

swanctl --load-all
swanctl --initiate --child ProtonVPN

Important: ProtoVPN must also configure VTI on server, otherwise it will not work.

I do not have an account for ProtonVPN. Therefore you have to ask ProtonVPN about VTI and try the configuration.

1 Like

Hi, Bernd,

I'm Leo come from China, because our GOV we can't vist Internet as wish as you like, but we have other way to do, so I can see you here :smile:

I see your message and you are very professional, but I'm just a new guy come here.
I want to thank you very much if you can give me a hand with StrongSwan on OpenWRT.
Because I try many many days and work hard but still can't connect it success!

I want to setup a l2tp over ipsec client on openwrt use strongswan, I install every thing to a old desktop and it can work well as a router.

My environment is:
1.OpenWrt 19.07.1, r10911-c155900f66
2.Starting strongSwan 5.8.2
3.xl2tpd 1.3.15-2

I setup router as this link:http://villasyslog.net/openwrt-pptp-l2tp-ikev2-setup-strongswan-vpn-client/
But it can't work, so I change some parameter and test again and aging......
Still can't connect so I come here ask for help and show your with detail.

**file1: /etc/ipsec.conf**
basic configuration

config setup
        strictcrlpolicy=yes
        uniqueids = no
        charondebug=all

Add connections here.

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1  (I try ikev2 first but can't work, then I use google that a lot of people use ikev1 for this, but still can't connect)


Sample VPN connections

conn L2TP-PSK
        authby=secret
        leftauth=psk
        auto=add
        keyingtries=3
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        rekey=yes
        ikelifetime=8h
        keylife=1h
        type=transport
        left=%defaultroute
        leftprotoport=17/1701
        right=xx.xx.com (It can't use IP to setup because the server IP change everyday)
        rightauth=psk
        rightid=xx.xx.com
        rightprotoport=17/1701
        auto=start
        dpddelay=40
        dpdtimeout=130
        dpdaction=clear

**file2:/etc/ipsec.secrets**

/etc/ipsec.secrets - strongSwan IPsec secrets file

[xx.xx.com](http://xx.xx.com/) : PSK "xxxxxx"


**file3:/etc/xl2tpd/xl2tpd.conf**

[global]
port = 1701
auth file = /etc/xl2tpd/xl2tp-secrets
access control = no


[lac strong-vpn]
lns = xx.xx.com
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
bps = 1000000


**file4:/etc/ppp/options.l2tpd.client**
ipcp-accept-local
ipcp-accept-remote
require-pap  (I try to setup in my TPLINK router and I see log is PAP Aut, but it can't show me more for detail)
noccp
noauth
idle 1800
mtu 1400
mru 1400
defaultroute
replacedefaultroute
usepeerdns
debug
connect-delay 5000
name "user"
password "password"
lcp-echo-interval 20
lcp-echo-failure 5
1 Like

Hello @Bernd,you still with this?

Yes. I wait until my VPN provider enables VTI on test server.

find a provider supporting wireguard instead, then you'll find everything is so easy, and so cute.

any one manage to get this working? I've managed establish the connection, but can't seem to bring up the vti iface. the state is unknown...

Did anyone successfully created VTI for IPsec, if yes then please let me know...

HI @Bernd
How did you start swnctl on openwrt
The error I get is as follows:
connecting to 'unix:///var/run/charon.vici' failed: Connection refused

In centos, I am enable it to use systemctl , but in openwrt, how to enable it

thanks.

Did anyone get success on that ? I'm with the same problem ... ipsec tunnel established but cannot send the traffic throught the tunnel.
thanks

Hi Bernd,

I got a problem when I followed your instructions for setting up dns. I really hope that you will help me.
I followed these commands, ** env | sed -n -e "
/^foreign_option_.*=dhcp-option.DNS/s//nameserver/p
/^foreign_option_.
=dhcp-option.DOMAIN/s//domain/p
"| sort -u> /tmp/resolv.conf.vpn
uci set dhcp. @ dnsmasq [0] .resolvfile = "/ tmp / resolv.conf.vpn"
/etc/init.d/dnsmasq restart ** But after restarting dnsmasq, my Internet is disconnected. after that, I also cannot connect to vpn. But after executing this command ** uci set dhcp. @ Dnsmasq [0] .resolvfile = "/ tmp / resolv.conf.auto"
/etc/init.d/dnsmasq
* restart the Internet starts working fine, but the dns also remains from the ISP. I hope for your help. Thanks in advance (I am using ProtonVPN)

I hope this video will help you.

Hello eveyone ,
I followed this thread and this another one

but no success,
upon ipsec up vpn , I have a successfull tunnel but it is not shared via wifi nor lan
ip route
default is not via vti1
Can you help me ?