IPSec IKEv2 Client to VPN service

Hi, Bernd,

I'm Leo come from China, because our GOV we can't vist Internet as wish as you like, but we have other way to do, so I can see you here :smile:

I see your message and you are very professional, but I'm just a new guy come here.
I want to thank you very much if you can give me a hand with StrongSwan on OpenWRT.
Because I try many many days and work hard but still can't connect it success!

I want to setup a l2tp over ipsec client on openwrt use strongswan, I install every thing to a old desktop and it can work well as a router.

My environment is:
1.OpenWrt 19.07.1, r10911-c155900f66
2.Starting strongSwan 5.8.2
3.xl2tpd 1.3.15-2

I setup router as this link:http://villasyslog.net/openwrt-pptp-l2tp-ikev2-setup-strongswan-vpn-client/
But it can't work, so I change some parameter and test again and aging......
Still can't connect so I come here ask for help and show your with detail.

**file1: /etc/ipsec.conf**
basic configuration

config setup
        strictcrlpolicy=yes
        uniqueids = no
        charondebug=all

Add connections here.

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1  (I try ikev2 first but can't work, then I use google that a lot of people use ikev1 for this, but still can't connect)


Sample VPN connections

conn L2TP-PSK
        authby=secret
        leftauth=psk
        auto=add
        keyingtries=3
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        rekey=yes
        ikelifetime=8h
        keylife=1h
        type=transport
        left=%defaultroute
        leftprotoport=17/1701
        right=xx.xx.com (It can't use IP to setup because the server IP change everyday)
        rightauth=psk
        rightid=xx.xx.com
        rightprotoport=17/1701
        auto=start
        dpddelay=40
        dpdtimeout=130
        dpdaction=clear

**file2:/etc/ipsec.secrets**

/etc/ipsec.secrets - strongSwan IPsec secrets file

[xx.xx.com](http://xx.xx.com/) : PSK "xxxxxx"


**file3:/etc/xl2tpd/xl2tpd.conf**

[global]
port = 1701
auth file = /etc/xl2tpd/xl2tp-secrets
access control = no


[lac strong-vpn]
lns = xx.xx.com
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
bps = 1000000


**file4:/etc/ppp/options.l2tpd.client**
ipcp-accept-local
ipcp-accept-remote
require-pap  (I try to setup in my TPLINK router and I see log is PAP Aut, but it can't show me more for detail)
noccp
noauth
idle 1800
mtu 1400
mru 1400
defaultroute
replacedefaultroute
usepeerdns
debug
connect-delay 5000
name "user"
password "password"
lcp-echo-interval 20
lcp-echo-failure 5
1 Like

Hello @Bernd,you still with this?

Yes. I wait until my VPN provider enables VTI on test server.

find a provider supporting wireguard instead, then you'll find everything is so easy, and so cute.

any one manage to get this working? I've managed establish the connection, but can't seem to bring up the vti iface. the state is unknown...

Did anyone successfully created VTI for IPsec, if yes then please let me know...

HI @Bernd
How did you start swnctl on openwrt
The error I get is as follows:
connecting to 'unix:///var/run/charon.vici' failed: Connection refused

In centos, I am enable it to use systemctl , but in openwrt, how to enable it

thanks.

Did anyone get success on that ? I'm with the same problem ... ipsec tunnel established but cannot send the traffic throught the tunnel.
thanks

Hi Bernd,

I got a problem when I followed your instructions for setting up dns. I really hope that you will help me.
I followed these commands, ** env | sed -n -e "
/^foreign_option_.*=dhcp-option.DNS/s//nameserver/p
/^foreign_option_.
=dhcp-option.DOMAIN/s//domain/p
"| sort -u> /tmp/resolv.conf.vpn
uci set dhcp. @ dnsmasq [0] .resolvfile = "/ tmp / resolv.conf.vpn"
/etc/init.d/dnsmasq restart ** But after restarting dnsmasq, my Internet is disconnected. after that, I also cannot connect to vpn. But after executing this command ** uci set dhcp. @ Dnsmasq [0] .resolvfile = "/ tmp / resolv.conf.auto"
/etc/init.d/dnsmasq
* restart the Internet starts working fine, but the dns also remains from the ISP. I hope for your help. Thanks in advance (I am using ProtonVPN)

I hope this video will help you.

Hello eveyone ,
I followed this thread and this another one

but no success,
upon ipsec up vpn , I have a successfull tunnel but it is not shared via wifi nor lan
ip route
default is not via vti1
Can you help me ?