IPSec IKEv2 Client to VPN service

Bernd · May 21, 2019, 3:36pm

I am an absolute beginner in OpenWRT and Strongswan. I am trying to configure IPSec IKEv2 client to VPN service Perfect Privacy. Unfortunately so far without success.

My installed Strongswan packages on Asus AC56U with OpenWRT 18.06.2:

root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install strongswan-default strongswan-mod-md4 strongswan-mod-openssl strongswan-mod-uci strongswan-mod-eap-mschapv2 strongswan-mod-eap-identity

root@OpenWrt:~# cat /etc/ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

conn PP-VPN
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        rekey=no
        eap_identity=username
        compress=no
        esp=aes256-sha1
        ike=aes256-sha1-ecp521
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config
        right=85.17.28.145
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        rightid=%any
        rightcert=/etc/ipsec.d/certs/perfect-privacy_ipsec_ca.pem
        type=tunnel
        auto=add

root@OpenWrt:~# cat /etc/ipsec.secrets:

# /etc/ipsec.secrets - strongSwan IPsec secrets file
username : EAP "password"

root@OpenWrt:~# cat /etc/config/firewall:

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fc00::/6
        option dest_ip          fc00::/6
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# allow incoming IPsec connections
config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-IPSec-IKE
        option src              wan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

config rule
        option name             Allow-IPSec-NAT-T
        option src              wan
        option proto            udp
        option dest_port        4500
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

root@OpenWrt:~# ipsec up PP-VPN:

initiating IKE_SA PP-VPN[1] to 85.17.28.145
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 178.202.90.17[500] to 85.17.28.145[500] (802 bytes)
received packet: from 85.17.28.145[500] to 178.202.90.17[500] (357 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
received cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
sending cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
no IDi configured, fall back on IP address
establishing CHILD_SA PP-VPN{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 178.202.90.17[4500] to 85.17.28.145[4500] (577 bytes)
received packet: from 85.17.28.145[4500] to 178.202.90.17[4500] (65 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'PP-VPN' failed

I hope you can help me.

Thanks and Regards,
Bernd

Bernd · May 27, 2019, 10:32pm

Nobody an idea?

How can I register by wiki.strongswan.org? I am already waiting a week for the activation of the account.

Bernd · May 31, 2019, 10:36pm

I have now installed strongswan-full.

Configuration:

conn PP-VPN
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        rekey=no
        eap_identity="USERNAME"
        compress=no
        esp=aes256-sha1
        ike=aes256-sha1-curve25519
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config
        right=amsterdam1.perfect-privacy.com
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        rightid="C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
        rightcert=/etc/ipsec.d/certs/perfect-privacy_ipsec_ca.pem
        type=tunnel
        auto=add

in "/etc/config/firewall" added:

config zone
	option forward REJECT
	option name vpn
	option output ACCEPT
	option network ipsec
	option input ACCEPT

config rule
	option src wan
	option proto esp
	option target ACCEPT

config rule
	option src wan
	option dest_port 500
	option proto udp
	option target ACCEPT

config rule
	option target ACCEPT
	option src wan
	option proto udp
	option dest_port 4500

config rule
	option target ACCEPT
	option src wan
	option proto ah

config forwarding
	option dest lan
	option src vpn

config forwarding
	option dest wan
	option src vpn

config forwarding
	option dest vpn
	option src lan

Here the output:

root@OpenWrt:~# ipsec up PP-VPN
initiating IKE_SA PP-VPN[1] to 85.17.28.145
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 109.91.77.56[500] to 85.17.28.145[500] (1068 bytes)
received packet: from 85.17.28.145[500] to 109.91.77.56[500] (265 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
received cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
sending cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
no IDi configured, fall back on IP address
establishing CHILD_SA PP-VPN{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 109.91.77.56[4500] to 85.17.28.145[4500] (577 bytes)
received packet: from 85.17.28.145[4500] to 109.91.77.56[4500] (65 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'PP-VPN' failed

Systemlog:

authpriv.info ipsec_starter[3710]: Starting strongSwan 5.6.3 IPsec [starter]...
authpriv.info ipsec_starter[3710]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
daemon.err modprobe: ah4 is already loaded
daemon.err modprobe: esp4 is already loaded
daemon.err modprobe: ipcomp is already loaded
daemon.err modprobe: xfrm4_tunnel is already loaded
daemon.err modprobe: xfrm_user is already loaded
authpriv.info ipsec_starter[3710]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
authpriv.info ipsec_starter[3740]: Starting strongSwan 5.6.3 IPsec [starter]...
authpriv.info ipsec_starter[3740]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
daemon.err modprobe: ah4 is already loaded
daemon.err modprobe: esp4 is already loaded
daemon.err modprobe: ipcomp is already loaded
daemon.err modprobe: xfrm4_tunnel is already loaded
daemon.err modprobe: xfrm_user is already loaded
authpriv.info ipsec_starter[3740]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
authpriv.info ipsec_starter[3767]: Starting strongSwan 5.6.3 IPsec [starter]...
authpriv.info ipsec_starter[3767]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
daemon.err modprobe: ah4 is already loaded
daemon.err modprobe: esp4 is already loaded
daemon.err modprobe: ipcomp is already loaded
daemon.err modprobe: xfrm4_tunnel is already loaded
daemon.err modprobe: xfrm_user is already loaded
authpriv.info ipsec_starter[3767]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
daemon.info procd: Instance ipsec::instance1 s in a crash loop 6 crashes, 0 seconds since last crash
daemon.info : 00[DMN] signal of type SIGINT received. Shutting down
authpriv.info ipsec_starter[3450]: charon stopped after 200 ms
authpriv.info ipsec_starter[3450]: ipsec starter stopped
authpriv.info ipsec_starter[4653]: Starting strongSwan 5.6.3 IPsec [starter]...
daemon.err modprobe: ah4 is already loaded
daemon.err modprobe: esp4 is already loaded
daemon.err modprobe: ipcomp is already loaded
daemon.err modprobe: xfrm4_tunnel is already loaded
daemon.err modprobe: xfrm_user is already loaded
daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.95, armv7l)
daemon.info : 00[CFG] PKCS11 module '<name>' lacks library path
daemon.info : 00[LIB] curl SSL backend 'mbedTLS/2.16.1' not supported, https:// disabled
daemon.info : 00[CFG] disabling load-tester plugin, not configured
daemon.info : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
daemon.info : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found
daemon.info : 00[CFG] attr-sql plugin: database URI not set
daemon.info : 00[NET] using forecast interface br-lan
daemon.info : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
daemon.info : 00[CFG]   loaded EAP secret for USERNAME
daemon.info : 00[CFG] sql plugin: database URI not set
daemon.info : 00[CFG] loaded 0 RADIUS server configurations
daemon.info : 00[CFG] HA config misses local/remote address
daemon.info : 00[CFG] coupling file path unspecified
daemon.info : 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
daemon.info : 00[JOB] spawning 16 worker threads
authpriv.info ipsec_starter[4675]: charon (4676) started after 1140 ms
daemon.info : 06[CFG] received stroke: add connection 'PP-VPN'
daemon.info : 06[CFG]   loaded certificate "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com" from '/etc/ipsec.d/certs/perfect-privacy_ipsec_ca.pem'
daemon.info : 06[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com'
daemon.info : 06[CFG] added configuration 'PP-VPN'
daemon.info : 15[CFG] received stroke: initiate 'PP-VPN'
daemon.info : 07[IKE] initiating IKE_SA PP-VPN[1] to 85.17.28.145
authpriv.info : 07[IKE] initiating IKE_SA PP-VPN[1] to 85.17.28.145
daemon.info : 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
daemon.info : 07[NET] sending packet: from 109.91.77.56[500] to 85.17.28.145[500] (1068 bytes)
daemon.info : 09[NET] received packet: from 85.17.28.145[500] to 109.91.77.56[500] (265 bytes)
daemon.info : 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
daemon.info : 09[IKE] received cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
daemon.info : 09[IKE] sending cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
daemon.info : 09[CFG] no IDi configured, fall back on IP address
daemon.info : 09[IKE] establishing CHILD_SA PP-VPN{1}
authpriv.info : 09[IKE] establishing CHILD_SA PP-VPN{1}
daemon.info : 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
daemon.info : 09[NET] sending packet: from 109.91.77.56[4500] to 85.17.28.145[4500] (577 bytes)
daemon.info : 12[NET] received packet: from 85.17.28.145[4500] to 109.91.77.56[4500] (65 bytes)
daemon.info : 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
daemon.info : 12[IKE] received AUTHENTICATION_FAILED notify error
daemon.info : 00[DMN] signal of type SIGINT received. Shutting down
authpriv.info ipsec_starter[4675]: charon stopped after 200 ms
authpriv.info ipsec_starter[4675]: ipsec starter stopped
authpriv.info ipsec_starter[5503]: Starting strongSwan 5.6.3 IPsec [starter]...
daemon.err modprobe: ah4 is already loaded
daemon.err modprobe: esp4 is already loaded
daemon.err modprobe: ipcomp is already loaded
daemon.err modprobe: xfrm4_tunnel is already loaded
daemon.err modprobe: xfrm_user is already loaded
daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.95, armv7l)
daemon.info : 00[CFG] PKCS11 module '<name>' lacks library path
daemon.info : 00[LIB] curl SSL backend 'mbedTLS/2.16.1' not supported, https:// disabled
daemon.info : 00[CFG] disabling load-tester plugin, not configured
daemon.info : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
daemon.info : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found
daemon.info : 00[CFG] attr-sql plugin: database URI not set
daemon.info : 00[NET] using forecast interface br-lan
daemon.info : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
daemon.info : 00[CFG]   loaded EAP secret for USERNAME
daemon.info : 00[CFG] sql plugin: database URI not set
daemon.info : 00[CFG] loaded 0 RADIUS server configurations
daemon.info : 00[CFG] HA config misses local/remote address
daemon.info : 00[CFG] coupling file path unspecified
daemon.info : 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
daemon.info : 00[JOB] spawning 16 worker threads
authpriv.info ipsec_starter[5538]: charon (5539) started after 1080 ms
daemon.info : 07[CFG] received stroke: add connection 'PP-VPN'
daemon.info : 07[CFG]   loaded certificate "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com" from '/etc/ipsec.d/certs/perfect-privacy_ipsec_ca.pem'
daemon.info : 07[CFG] added configuration 'PP-VPN'
daemon.info : 09[CFG] received stroke: initiate 'PP-VPN'
daemon.info : 08[IKE] initiating IKE_SA PP-VPN[1] to 85.17.28.145
authpriv.info : 08[IKE] initiating IKE_SA PP-VPN[1] to 85.17.28.145
daemon.info : 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
daemon.info : 08[NET] sending packet: from 109.91.77.56[500] to 85.17.28.145[500] (1068 bytes)
daemon.info : 12[NET] received packet: from 85.17.28.145[500] to 109.91.77.56[500] (265 bytes)
daemon.info : 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
daemon.info : 12[IKE] received cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
daemon.info : 12[IKE] sending cert request for "C=CH, ST=Zug, L=Zug, O=Perfect Privacy, CN=Perfect Privacy IPSEC CA, E=admin@perfect-privacy.com"
daemon.info : 12[CFG] no IDi configured, fall back on IP address
daemon.info : 12[IKE] establishing CHILD_SA PP-VPN{1}
authpriv.info : 12[IKE] establishing CHILD_SA PP-VPN{1}
daemon.info : 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
daemon.info : 12[NET] sending packet: from 109.91.77.56[4500] to 85.17.28.145[4500] (577 bytes)
daemon.info : 04[NET] received packet: from 85.17.28.145[4500] to 109.91.77.56[4500] (65 bytes)
daemon.info : 04[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
daemon.info : 04[IKE] received AUTHENTICATION_FAILED notify error

Maybe Systemlog is helpful.

Edit: Are these messages critical?

daemon.info : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
daemon.info : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found

Bernd · July 6, 2019, 3:00am

Hello.

I have a similar problem, like here.

I have following error messages after IPSec IKEv2 configuration:

received netlink error: Function not implemented (38)
unable to add SAD entry with SPI cc348fee (FAILED)
received netlink error: Function not implemented (38)
unable to add SAD entry with SPI c4dd9c29 (FAILED)
unable to install inbound and outbound IPsec SA (SAD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
peer supports MOBIKE
sending DELETE for ESP CHILD_SA with SPI cc348fee

How can I check if GCM or Required Kernel Modules are enabled in OpenWRT Kernel?

Bernd · August 13, 2019, 5:31am

My VPN provider uses these encryption algorithms:

ike=aes256gcm16-prfsha512-prfsha384-prfsha256-curve25519
esp=aes256gcm16-curve25519

But OpenWRT says: received netlink error: Function not implemented (38)

How can I enable these encryption algorithms on OpenWRT?

mikma · August 13, 2019, 6:27am

I can't see any Curve25519 kernel module in the openwrt package table (required for ESP). Curve25519 also doesn't seem to be merged into the vanilla Linux kernel (https://github.com/torvalds/linux).

https://openwrt.org/packages/table/start?dataflt[Name_pkg-dependencies*~]=kmod-crypto

mpa · August 13, 2019, 10:45pm

See /proc/crypto for the crypto algorithms currently available to the kernel.
To get a list of packages with further algorithms:

opkg update
opkg list kmod-crypto-*

On OpenWrt, the kernel modules are not included with the kernel, they must be installed as separate packages which are named kmod-*. The question is which module/package is needed.

Since the Asus AC56U has fairly large flash and RAM, you could install kernel module packages liberally until the dependencies are satisfied, then try to find and remove again unneeded module packages.

Another option would be to set up strongswan on a PC, where modules usually come with the Linux kernel package. Once the tunnel is up, check the reference counters in lsmod output and in /proc/crypto to find the module names, then return to OpenWrt and install the required kernel module packages there.

There is no such kernel module because Diffie-Hellman is handled in userspace.

mikma · August 14, 2019, 8:46am

Does esp=aes256gcm16-curve25519 mentioned above make any sense in that case?

mpa · August 14, 2019, 7:13pm

esp=...-curve25519 requests Elliptic Curve Diffie-Hellman to be used during the rekeying of the child SA (ESP). Rekeying is performed by the charon daemon using the IKE protocol, then the resulting key is installed into the kernel to take effect for ESP traffic.

Bernd · December 7, 2019, 10:06am

Hello.

I got now a connection on Linux Mint with this configuration:

conn PP
        keyexchange=ikev2
        dpdaction=none
        dpddelay=300s
        inactivity=36000s
        rekey=no
        leftsourceip=%config4,%config6
        leftsendcert=never
        leftauth=eap-mschapv2
        rightauth=pubkey
        right=amsterdam.perfect-privacy.com
        rightid=%any
        rightca=/etc/ipsec.d/cacerts/perfect-privacy_ipsec_ca.crt
        rightsubnet=0.0.0.0/0,::/0
        rightsendcert=always
        eap_identity="PPUsername"
        type=tunnel
        auto=add

The configuration unfortunately does not run on OpenWRT. So I copied some of this thread:

Now I have this configuration and I don't know if I can still optimize it.

/etc/ipsec.conf:

conn lan-passthrough
        leftsubnet=192.168.1.0/24 # Replace with your LAN subnet
        rightsubnet=192.168.1.0/24 # Replace with your LAN subnet
        authby=never # No authentication necessary
        type=pass # passthrough
        auto=route # no need to ipsec up lan-passthrough

conn PP
        keyexchange=ikev2
        dpdaction=none
        dpddelay=300s
        inactivity=36000s
        rekey=no
	forceencaps=yes
	authby=secret
	ike=aes256-sha256-modp2048
	esp=aes256-sha256
	leftfirewall=yes
	left=192.168.1.1
	leftid=192.168.1.1 
	leftsourceip=%config4,%config6
      	leftsendcert=never
        leftauth=eap-mschapv2
	rightfirewall=yes
        rightauth=pubkey
	right=amsterdam.perfect-privacy.com
	rightid=%any
        rightsubnet=0.0.0.0/0,::/0
    	rightsendcert=always
	eap_identity="PPUsername"
	type=tunnel
        auto=add

/etc/ipsec.user:

case "$PLUTO_VERB" in
up-client)
        iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP4_1"
        ;;
down-client)
        iptables -t nat -F postrouting_wan_rule
        ;;
esac

Why does the configuration work without a certificate? However, this configuration does not work with all websites. Maybe a DNS problem? The DNS servers of the VPN provider are not displayed, but they are displayed by the ISP.

How to use DNS servers from VPN provider with IKEv2 configuration?

Best regards

Bernd

Edit: The option leftdns=%config4,%config4 has no effect. DNS servers are still from ISP.

Is it possible to add these scripts?

When IKEv2 is activated, then this script will be executed:

#!/bin/sh
env | sed -n -e "
/^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p
/^foreign_option_.*=dhcp-option.*DOMAIN/s//domain/p
" | sort -u > /tmp/resolv.conf.vpn
uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn"
/etc/init.d/dnsmasq restart

And when IKEv2 is disabled, then this script will be executed:

#!/bin/sh
uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.auto"
/etc/init.d/dnsmasq restart

Would that work?

Bernd · December 9, 2019, 7:43pm

Another question:

When I type in puTTY ifconfig, then I don't have an ipsec0 interface.

How do I add an ipsec0 interface?

Then I want to add a KillSwitch with GUI.

How do I do that?

Bernd · December 10, 2019, 12:44pm

I am now able to create an ipsec0 interface.

First add these commands:

ipsec.conf:

        mark_in=42
        mark_out=42

strongswan.conf:

charon {
        install_routes=no
        install_virtual_ip=no

        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}


include strongswan.d/*.conf

puTTY:

ip tunnel add ipsec0 local 192.168.1.1 remote <VPN_Server_IP> mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.0.0.0/24 dev ipsec0
ifconfig ipsec0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255

Unfortunately these commands cause an IPv6 leak:

        install_routes=no
        install_virtual_ip=no

Does anyone have any idea how to solve this IPv6 leak?

When I add a KillSwitch to Web UI, like OpenVPN, then it has no effect.
/etc/config/firewall:

config zone
	option name 'PP_FW'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'IPSEC'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option dest 'PP_FW'
	option src 'lan'

/etc/config/network:

config interface 'IPSEC'
	option proto 'none'
	option ifname 'ipsec0'
	option auto '1'

Does anyone have any idea what I am doing wrong at KillSwitch?

Bernd · December 11, 2019, 7:38pm

I have a general question.

Is it possible to get an IPv6 IP with stronSwan IKEv2?

If not, I would like to know how to disable IPv6 in the configuration.

Bernd · January 22, 2020, 6:49pm

IPv6 can be disabled with the following commands in /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

I have migrated the configuration from ipsec.conf to swanctl.conf.

Does anyone know how to start swanctl.conf at the OpenWrt start?

I only know how to start it manually:

swanctl --load-all
swanctl --initiate --child <name>

Edit:
swanctl.conf can be started with strongswan.conf:

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
    start-scripts {
        load-all = /usr/sbin/swanctl --load-all
    } 
}

include strongswan.d/*.conf

Bernd · February 14, 2020, 9:20pm

Hello.

I have added a dropall rule that blocks everything:

connections {
    dropall {
        children {
            dropall {
                local_ts = 0.0.0.0/0
                remote_ts = 0.0.0.0/0
                priority = 2
                mode = drop
                start_action = trap
            }
        }
    }
    lan-passthrough {
        children {
            lan-passthrough {
                local_ts = 192.168.1.0/24 # Replace with your LAN subnet
                remote_ts = 192.168.1.0/24 # Replace with your LAN subnet
                priority = 1
                mode = pass
                start_action = trap
            }
        }
    }
    pp {
        unique = never
        version = 2
        keyingtries=0
        dpd_delay = 300s
        rekey_time = 0
        encap = yes
        proposals = aes256-sha256-modp2048
        vips = 0.0.0.0
        send_cert = never
        send_certreq = yes
        local_addrs = 192.168.1.1 # Replace with your default Router IP address
        remote_addrs = <PP Server IP> # Replace with your PP Server IP

        local {
            id = 192.168.1.1 # Replace with your default Router IP address
            auth = eap-mschapv2
            eap_id = Username # Replace with your PP-Username
        }
        remote {
            id = %any
            auth = pubkey
        }
        children {
            pp {
                dpd_action = start
                close_action = start
                inactivity = 36000s
                life_time = 0
                esp_proposals = aes256-sha256
                updown = /etc/swanctl/updown.sh
                remote_ts = 0.0.0.0/0
                priority = 1
                mode = tunnel
                start_action = start # "none" is for manual start, or use "start" for autostart
            }
        }
    }
} # connections
secrets {
    eap-user {
        id = Username # Replace with your PP-Username
        secret = "Password" # Replace with your "PP-Password" 
    }
} # secrets

Only local subnet 192.168.1.0/24 and remote subnet 192.168.1.0/24 is allowed.

But I need more subnets/IP ranges to let ipsec through.

How can I check on OpenWrt to see what needs to be opened?

Is there something like traffic capture on OpenWrt?

Best regards

Bernd

8bitgigo · February 22, 2020, 2:31pm

Bernd,

I see you are working on IKEv2 with ProtonVPN (I saw this on the StrongSwan forum.) I see that there is not much help getting this working and unfortunately, I will be no help at all. In fact, the reason I am replying to this thread is I am in the same boat. I am hoping that you will share your settings with me.

I tried to "pickup" your firewall and interface(?) setup from this post and the other on strongswan, but I have failed.

Will you share with me how to install an interface for the ipsec vpn and then also give me the firewall setup? I think that is my problem (partly at least) as I lose my LAN when I send the "ipsec up server.ip" command.

You also had created a ipsec.user file and some other scripts. Are those needed and if so, will you kindly share those?

Thanks a lot,

8bits

8bitgigo · February 22, 2020, 3:09pm

I found this: https://community.ui.com/questions/TUTORIAL-ProtonVPN-IKEv2-client-configuration-for-EdgeRouter/c2b64fa4-9eac-4aa4-b854-9ec9949a7e11

I believe this contains all the relevant setup steps, but they are for an Edge router. Would someone, kindly, reformat the instructions for openwrt?

I don't think it matters, but for future searchers I am using a TP-Link Archer C7 v5 with OpenWrt 19.07.1 r10911-c155900f66.

Bernd · February 22, 2020, 7:02pm

You still have to adapt ProtonVPN to this configuration, but you can try it. This configuration is without IPv6 and Kill-Switch.

Disable IPv6 in LuCI:

LAN > Advanced > UNCHECK: Use IPv6-management
LAN > DHCP > IPv6 > Disable everything
WAN > Advanced > UNCHECK: Use IPv6-management
WAN6 > Delete

Replace in /etc/config/firewall:

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

with:

config rule
	option name 'IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'IPSec-IKE'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'IPSec-NAT-T'
	option src 'wan'
	option dest_port '4500'
	option proto 'udp'
	option target 'ACCEPT'

Install packages:

opkg update
opkg install strongswan-full ip-full

Copy with WinSCP or SCP command your certificate to "/etc/ipsec.d/cacerts".

/etc/ipsec.conf:

config setup
	charondebug="all"
	uniqueids=never

conn lan-passthrough
        leftsubnet=192.168.1.0/24 # Replace with your LAN subnet
        rightsubnet=192.168.1.0/24 # Replace with your LAN subnet
        authby=never # No authentication necessary
        type=pass # passthrough
        auto=route # no need to ipsec up lan-passthrough

conn ProtonVPN
        keyexchange=ikev2
        keyingtries=%forever
        dpdaction=none
        dpddelay=300s
        inactivity=36000s
        rekey=no
	forceencaps=yes
	authby=secret
	ike=aes256-sha256-modp2048
	esp=aes256-sha256
	leftfirewall=yes
	left=192.168.1.1
	leftid=192.168.1.1 
	leftsourceip=%config4
      	leftsendcert=never
        leftauth=eap-mschapv2
	rightfirewall=yes
        rightauth=pubkey
	right=ProtonVPNServerIP # Replace here ProtonVPNServerIP
	rightid=%any
        rightsubnet=0.0.0.0/0
    	rightsendcert=always
	eap_identity="ProtonVPNUsername"
	type=tunnel
        auto=add

/etc/ipsec.user:

case "$PLUTO_VERB" in
up-client)
        iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP4_1"
        ;;
down-client)
        iptables -t nat -F postrouting_wan_rule
        ;;
esac

/etc/ipsec.secrets:
ProtonVPNUsername : EAP "ProtonVPNPassword"

Reboot your router.

Start IPsec with:

ipsec up ProtonVPN

If it works, then replace:

auto=add

in /etc/ipsec.conf with:

auto=start # start is for autostart

Reboot your router and enjoy.

Here is a Kill Switch instruction from @mikma and @mpa, but I had no luck with that.

Maybe you'll be luckier.

Edit:

I have not found a solution to install an IPsec interface. And with no interface, you cannot edit a firewall.

Bernd · February 25, 2020, 5:16am

The updown.sh script from your link, uses the VTI interface. It seems that the VTI interface works on EdgeRouter, but not on OpenWrt so far.
So this is a problem of the OpenWrt configuration. Maybe it needs a special routing configuration?

I tried to reformat the instructions for OpenWrt, but without success. I only got RX packets, but no TX packets. See picture:

You or someone else can try to get VTI interface working. Then I can try to create a new updown.sh script.

Here are my last settings:

add to /etc/ipsec.conf:

        mark_in=42
        mark_out=42

/etc/strongswan.conf:

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        install_routes=no
        install_virtual_ip=no

        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

Terminal:

ip tunnel add ipsec0 local 192.168.1.1 remote <your-server-ip> mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.0.0.0/24 dev ipsec0

/etc/config/network:

config interface 'ipsec'
	option proto 'none'
	option delegate '0'
	option ifname 'ipsec0'

Bernd · February 29, 2020, 8:07pm

Hello 8bitgigo.

I do not know how to reformat the updown.sh script for ipsec.user file. Therefore you should use swanctl.conf instead of ipsec.conf.

Here is the updown.sh:

#!/bin/sh
set -o nounset
set -o errexit

# Interface
VTI_IFACE="vti0"

case "$PLUTO_VERB" in
up-client)
	iptables -t nat -A postrouting_wan_rule -s 192.168.1.0/24 -m policy --dir out --pol none -j SNAT --to-source "$PLUTO_MY_SOURCEIP"
	
	echo "Creating tunnel interface $VTI_IFACE local $PLUTO_ME remote $PLUTO_PEER mode vti"
	ip tunnel add "$VTI_IFACE" local "$PLUTO_ME" remote "$PLUTO_PEER" mode vti
	echo "Activating tunnel interface $VTI_IFACE"
	ip link set "$VTI_IFACE" up

	echo "Adding $PLUTO_MY_SOURCEIP to $VTI_IFACE"
	ip addr add "$PLUTO_MY_SOURCEIP" dev "$VTI_IFACE"

	echo "Disabling IPsec policy (SPD) for $VTI_IFACE"
	sysctl -w "net.ipv4.conf.$VTI_IFACE.disable_policy=1"

	DEFAULT_ROUTE="$(ip route show default | grep default | awk '{print $3}')"
	echo "Identified default route as $DEFAULT_ROUTE"
	echo "Adding route: $PLUTO_PEER via $DEFAULT_ROUTE dev $PLUTO_INTERFACE"
	ip route add "$PLUTO_PEER" via "$DEFAULT_ROUTE" dev "$PLUTO_INTERFACE"
	;;
down-client)
	iptables -t nat -F postrouting_wan_rule

	echo "Deleting interface $VTI_IFACE"
	ip tunnel del "$VTI_IFACE"

	echo "Deleting route for $PLUTO_PEER"
	ip route del "$PLUTO_PEER"
	;;
esac

Here is swanctl.conf:

connections {
    lan-passthrough {
        children {
            lan-passthrough {
                local_ts = 192.168.1.0/24 # Replace with your LAN subnet
                remote_ts = 192.168.1.0/24 # Replace with your LAN subnet
                priority = 1
                mode = pass
                start_action = trap
            }
        }
    }
    ProtonVPN {
        unique = never
        version = 2
        keyingtries=0
        dpd_delay = 300s
        rekey_time = 0
        encap = yes
        proposals = aes256-sha256-modp2048
        vips = 0.0.0.0
        send_cert = never
        send_certreq = yes
        local_addrs = 192.168.1.1 # Replace with your default Router IP address
        remote_addrs = <ProtonVPN Server IP> # Replace with your ProtonVPN Server IP

        local {
            id = 192.168.1.1 # Replace with your default Router IP address
            auth = eap-mschapv2
            eap_id = Username # Replace with your ProtonVPN-Username
        }
        remote {
            id = %any
            auth = pubkey
        }
        children {
            ProtonVPN {
                dpd_action = start
                close_action = start
                inactivity = 36000s
                life_time = 0
                esp_proposals = aes256-sha256
                updown = /etc/swanctl/updown.sh
                remote_ts = 0.0.0.0/0
                priority = 1
                mode = tunnel
                start_action = none # "none" is for manual start, or use "start" for autostart
            }
        }
    }
} # connections
secrets {
    eap-user {
        id = Username # Replace with your ProtonVPN-Username
        secret = "Password" # Replace with your "ProtonVPN-Password" 
    }
} # secrets

/etc/strongswan.conf:

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        install_routes=no
        install_virtual_ip=no

        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

/etc/config/network:

config interface 'ipsec'
	option proto 'none'
	option delegate '0'
	option ifname 'vti0'

Start the configuration with:

swanctl --load-all
swanctl --initiate --child ProtonVPN

Important: ProtoVPN must also configure VTI on server, otherwise it will not work.

I do not have an account for ProtonVPN. Therefore you have to ask ProtonVPN about VTI and try the configuration.