I have a general question.
Is it possible to get an IPv6 IP with stronSwan IKEv2?
If not, I would like to know how to disable IPv6 in the configuration.
I have a general question.
Is it possible to get an IPv6 IP with stronSwan IKEv2?
If not, I would like to know how to disable IPv6 in the configuration.
IPv6 can be disabled with the following commands in /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
I have migrated the configuration from ipsec.conf to swanctl.conf.
Does anyone know how to start swanctl.conf at the OpenWrt start?
I only know how to start it manually:
swanctl --load-all
swanctl --initiate --child <name>
Edit:
swanctl.conf can be started with strongswan.conf:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
start-scripts {
load-all = /usr/sbin/swanctl --load-all
}
}
include strongswan.d/*.conf
Hello.
I have added a dropall rule that blocks everything:
connections {
dropall {
children {
dropall {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
priority = 2
mode = drop
start_action = trap
}
}
}
lan-passthrough {
children {
lan-passthrough {
local_ts = 192.168.1.0/24 # Replace with your LAN subnet
remote_ts = 192.168.1.0/24 # Replace with your LAN subnet
priority = 1
mode = pass
start_action = trap
}
}
}
pp {
unique = never
version = 2
keyingtries=0
dpd_delay = 300s
rekey_time = 0
encap = yes
proposals = aes256-sha256-modp2048
vips = 0.0.0.0
send_cert = never
send_certreq = yes
local_addrs = 192.168.1.1 # Replace with your default Router IP address
remote_addrs = <PP Server IP> # Replace with your PP Server IP
local {
id = 192.168.1.1 # Replace with your default Router IP address
auth = eap-mschapv2
eap_id = Username # Replace with your PP-Username
}
remote {
id = %any
auth = pubkey
}
children {
pp {
dpd_action = start
close_action = start
inactivity = 36000s
life_time = 0
esp_proposals = aes256-sha256
updown = /etc/swanctl/updown.sh
remote_ts = 0.0.0.0/0
priority = 1
mode = tunnel
start_action = start # "none" is for manual start, or use "start" for autostart
}
}
}
} # connections
secrets {
eap-user {
id = Username # Replace with your PP-Username
secret = "Password" # Replace with your "PP-Password"
}
} # secrets
Only local subnet 192.168.1.0/24 and remote subnet 192.168.1.0/24 is allowed.
But I need more subnets/IP ranges to let ipsec through.
How can I check on OpenWrt to see what needs to be opened?
Is there something like traffic capture on OpenWrt?
Best regards
Bernd
Bernd,
I see you are working on IKEv2 with ProtonVPN (I saw this on the StrongSwan forum.) I see that there is not much help getting this working and unfortunately, I will be no help at all. In fact, the reason I am replying to this thread is I am in the same boat. I am hoping that you will share your settings with me.
I tried to "pickup" your firewall and interface(?) setup from this post and the other on strongswan, but I have failed.
Will you share with me how to install an interface for the ipsec vpn and then also give me the firewall setup? I think that is my problem (partly at least) as I lose my LAN when I send the "ipsec up server.ip" command.
You also had created a ipsec.user file and some other scripts. Are those needed and if so, will you kindly share those?
Thanks a lot,
8bits
I believe this contains all the relevant setup steps, but they are for an Edge router. Would someone, kindly, reformat the instructions for openwrt?
I don't think it matters, but for future searchers I am using a TP-Link Archer C7 v5 with OpenWrt 19.07.1 r10911-c155900f66.
You still have to adapt ProtonVPN to this configuration, but you can try it. This configuration is without IPv6 and Kill-Switch.
Disable IPv6 in LuCI:
LAN > Advanced > UNCHECK: Use IPv6-management
LAN > DHCP > IPv6 > Disable everything
WAN > Advanced > UNCHECK: Use IPv6-management
WAN6 > Delete
Replace in /etc/config/firewall:
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
with:
config rule
option name 'IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'IPSec-IKE'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'IPSec-NAT-T'
option src 'wan'
option dest_port '4500'
option proto 'udp'
option target 'ACCEPT'
Install packages:
opkg update
opkg install strongswan-full ip-full
Copy with WinSCP or SCP command your certificate to "/etc/ipsec.d/cacerts".
/etc/ipsec.conf:
config setup
charondebug="all"
uniqueids=never
conn lan-passthrough
leftsubnet=192.168.1.0/24 # Replace with your LAN subnet
rightsubnet=192.168.1.0/24 # Replace with your LAN subnet
authby=never # No authentication necessary
type=pass # passthrough
auto=route # no need to ipsec up lan-passthrough
conn ProtonVPN
keyexchange=ikev2
keyingtries=%forever
dpdaction=none
dpddelay=300s
inactivity=36000s
rekey=no
forceencaps=yes
authby=secret
ike=aes256-sha256-modp2048
esp=aes256-sha256
leftfirewall=yes
left=192.168.1.1
leftid=192.168.1.1
leftsourceip=%config4
leftsendcert=never
leftauth=eap-mschapv2
rightfirewall=yes
rightauth=pubkey
right=ProtonVPNServerIP # Replace here ProtonVPNServerIP
rightid=%any
rightsubnet=0.0.0.0/0
rightsendcert=always
eap_identity="ProtonVPNUsername"
type=tunnel
auto=add
/etc/ipsec.user:
case "$PLUTO_VERB" in
up-client)
iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP4_1"
;;
down-client)
iptables -t nat -F postrouting_wan_rule
;;
esac
/etc/ipsec.secrets:
ProtonVPNUsername : EAP "ProtonVPNPassword"
Reboot your router.
Start IPsec with:
ipsec up ProtonVPN
If it works, then replace:
auto=add
in /etc/ipsec.conf with:
auto=start # start is for autostart
Reboot your router and enjoy.
Here is a Kill Switch instruction from @mikma and @mpa, but I had no luck with that.
Maybe you'll be luckier.
Edit:
I have not found a solution to install an IPsec interface. And with no interface, you cannot edit a firewall.
The updown.sh script from your link, uses the VTI interface. It seems that the VTI interface works on EdgeRouter, but not on OpenWrt so far.
So this is a problem of the OpenWrt configuration. Maybe it needs a special routing configuration?
I tried to reformat the instructions for OpenWrt, but without success. I only got RX packets, but no TX packets. See picture:
You or someone else can try to get VTI interface working. Then I can try to create a new updown.sh script.
Here are my last settings:
add to /etc/ipsec.conf:
mark_in=42
mark_out=42
/etc/strongswan.conf:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
install_routes=no
install_virtual_ip=no
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
Terminal:
ip tunnel add ipsec0 local 192.168.1.1 remote <your-server-ip> mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.0.0.0/24 dev ipsec0
/etc/config/network:
config interface 'ipsec'
option proto 'none'
option delegate '0'
option ifname 'ipsec0'
Hello 8bitgigo.
I do not know how to reformat the updown.sh script for ipsec.user file. Therefore you should use swanctl.conf instead of ipsec.conf.
Here is the updown.sh:
#!/bin/sh
set -o nounset
set -o errexit
# Interface
VTI_IFACE="vti0"
case "$PLUTO_VERB" in
up-client)
iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP"
echo "Creating tunnel interface $VTI_IFACE local $PLUTO_ME remote $PLUTO_PEER mode vti"
ip tunnel add "$VTI_IFACE" local "$PLUTO_ME" remote "$PLUTO_PEER" mode vti
echo "Activating tunnel interface $VTI_IFACE"
ip link set "$VTI_IFACE" up
echo "Adding $PLUTO_MY_SOURCEIP to $VTI_IFACE"
ip addr add "$PLUTO_MY_SOURCEIP" dev "$VTI_IFACE"
echo "Disabling IPsec policy (SPD) for $VTI_IFACE"
sysctl -w "net.ipv4.conf.$VTI_IFACE.disable_policy=1"
DEFAULT_ROUTE="$(ip route show default | grep default | awk '{print $3}')"
echo "Identified default route as $DEFAULT_ROUTE"
echo "Adding route: $PLUTO_PEER via $DEFAULT_ROUTE dev $PLUTO_INTERFACE"
ip route add "$PLUTO_PEER" via "$DEFAULT_ROUTE" dev "$PLUTO_INTERFACE"
;;
down-client)
iptables -t nat -F postrouting_wan_rule
echo "Deleting interface $VTI_IFACE"
ip tunnel del "$VTI_IFACE"
echo "Deleting route for $PLUTO_PEER"
ip route del "$PLUTO_PEER"
;;
esac
Here is swanctl.conf:
connections {
lan-passthrough {
children {
lan-passthrough {
local_ts = 192.168.1.0/24 # Replace with your LAN subnet
remote_ts = 192.168.1.0/24 # Replace with your LAN subnet
priority = 1
mode = pass
start_action = trap
}
}
}
ProtonVPN {
unique = never
version = 2
keyingtries=0
dpd_delay = 300s
rekey_time = 0
encap = yes
proposals = aes256-sha256-modp2048
vips = 0.0.0.0
send_cert = never
send_certreq = yes
local_addrs = 192.168.1.1 # Replace with your default Router IP address
remote_addrs = <ProtonVPN Server IP> # Replace with your ProtonVPN Server IP
local {
id = 192.168.1.1 # Replace with your default Router IP address
auth = eap-mschapv2
eap_id = Username # Replace with your ProtonVPN-Username
}
remote {
id = %any
auth = pubkey
}
children {
ProtonVPN {
dpd_action = start
close_action = start
inactivity = 36000s
life_time = 0
esp_proposals = aes256-sha256
updown = /etc/swanctl/updown.sh
remote_ts = 0.0.0.0/0
priority = 1
mode = tunnel
start_action = none # "none" is for manual start, or use "start" for autostart
}
}
}
} # connections
secrets {
eap-user {
id = Username # Replace with your ProtonVPN-Username
secret = "Password" # Replace with your "ProtonVPN-Password"
}
} # secrets
/etc/strongswan.conf:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
install_routes=no
install_virtual_ip=no
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
/etc/config/network:
config interface 'ipsec'
option proto 'none'
option delegate '0'
option ifname 'vti0'
Start the configuration with:
swanctl --load-all
swanctl --initiate --child ProtonVPN
Important: ProtoVPN must also configure VTI on server, otherwise it will not work.
I do not have an account for ProtonVPN. Therefore you have to ask ProtonVPN about VTI and try the configuration.
Hi, Bernd,
I'm Leo come from China, because our GOV we can't vist Internet as wish as you like, but we have other way to do, so I can see you here
I see your message and you are very professional, but I'm just a new guy come here.
I want to thank you very much if you can give me a hand with StrongSwan on OpenWRT.
Because I try many many days and work hard but still can't connect it success!
I want to setup a l2tp over ipsec client on openwrt use strongswan, I install every thing to a old desktop and it can work well as a router.
My environment is:
1.OpenWrt 19.07.1, r10911-c155900f66
2.Starting strongSwan 5.8.2
3.xl2tpd 1.3.15-2
I setup router as this link:http://villasyslog.net/openwrt-pptp-l2tp-ikev2-setup-strongswan-vpn-client/
But it can't work, so I change some parameter and test again and aging......
Still can't connect so I come here ask for help and show your with detail.
**file1: /etc/ipsec.conf**
basic configuration
config setup
strictcrlpolicy=yes
uniqueids = no
charondebug=all
Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1 (I try ikev2 first but can't work, then I use google that a lot of people use ikev1 for this, but still can't connect)
Sample VPN connections
conn L2TP-PSK
authby=secret
leftauth=psk
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=xx.xx.com (It can't use IP to setup because the server IP change everyday)
rightauth=psk
rightid=xx.xx.com
rightprotoport=17/1701
auto=start
dpddelay=40
dpdtimeout=130
dpdaction=clear
**file2:/etc/ipsec.secrets**
/etc/ipsec.secrets - strongSwan IPsec secrets file
[xx.xx.com](http://xx.xx.com/) : PSK "xxxxxx"
**file3:/etc/xl2tpd/xl2tpd.conf**
[global]
port = 1701
auth file = /etc/xl2tpd/xl2tp-secrets
access control = no
[lac strong-vpn]
lns = xx.xx.com
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
bps = 1000000
**file4:/etc/ppp/options.l2tpd.client**
ipcp-accept-local
ipcp-accept-remote
require-pap (I try to setup in my TPLINK router and I see log is PAP Aut, but it can't show me more for detail)
noccp
noauth
idle 1800
mtu 1400
mru 1400
defaultroute
replacedefaultroute
usepeerdns
debug
connect-delay 5000
name "user"
password "password"
lcp-echo-interval 20
lcp-echo-failure 5
Yes. I wait until my VPN provider enables VTI on test server.
find a provider supporting wireguard instead, then you'll find everything is so easy, and so cute.
any one manage to get this working? I've managed establish the connection, but can't seem to bring up the vti iface. the state is unknown...
Did anyone successfully created VTI for IPsec, if yes then please let me know...
HI @Bernd
How did you start swnctl on openwrt
The error I get is as follows:
connecting to 'unix:///var/run/charon.vici' failed: Connection refused
In centos, I am enable it to use systemctl , but in openwrt, how to enable it
thanks.
Did anyone get success on that ? I'm with the same problem ... ipsec tunnel established but cannot send the traffic throught the tunnel.
thanks
Hi Bernd,
I got a problem when I followed your instructions for setting up dns. I really hope that you will help me.
I followed these commands, ** env | sed -n -e "
/^foreign_option_.*=dhcp-option.DNS/s//nameserver/p
/^foreign_option_.=dhcp-option.DOMAIN/s//domain/p
"| sort -u> /tmp/resolv.conf.vpn
uci set dhcp. @ dnsmasq [0] .resolvfile = "/ tmp / resolv.conf.vpn"
/etc/init.d/dnsmasq restart ** But after restarting dnsmasq, my Internet is disconnected. after that, I also cannot connect to vpn. But after executing this command ** uci set dhcp. @ Dnsmasq [0] .resolvfile = "/ tmp / resolv.conf.auto"
/etc/init.d/dnsmasq* restart the Internet starts working fine, but the dns also remains from the ISP. I hope for your help. Thanks in advance (I am using ProtonVPN)
Hello eveyone ,
I followed this thread and this another one
but no success,
upon ipsec up vpn , I have a successfull tunnel but it is not shared via wifi nor lan
ip route
default is not via vti1
Can you help me ?