IPsec Modern IKEv2 Road-Warrior Configuration

Installing and Using OpenWrt
1

Hello.

I'm trying to configure IPsec Modern IKEv2 Road-Warrior Configuration (swanctl), but I can't get it to work.

I'm following the instructions at https://openwrt.org/docs/guide-user/services/vpn/strongswan/roadwarrior, but getting nothing. It seems to try and talk to each other, but the connection cannot be terminated.

I have also tried Traffic is dropped for IPsec with firewall4, but nothing.

The OpenWRT version I'm using is 22.03.3 on x86. Everything works fine except this.

Could someone point me to a tutorial to be able to configure it using just swanctl?

Any help is appreciated.
Thanks.

2

Hi Diego,

could you please share your configs and you log file? Without specifics, it will not be possible to help.

Can you start by listing the contents of your /etc/swanctl/swanctl.conf and then paste what logread -f gives you upon connection attempt?

-A

3

Yes, need logs here.

The two somewhat obscure problems I've had are:

  • Not having the necessary kernel crypto kmods installed. The IKE phase uses userspace crypto, however actually using the SA keys is done in the kernel. The log will show successful IKE but then errors trying to start up SA.
  • The SA crypto algorithms must be set to force one particular method that is the same on both sides. The symptom here is a completely successful initial connection, but it breaks on the first rekeying attempt. Rekeying may fail if the two sides aren't already constrained to the method.
4

Hi. Thanks

logread -f

Sun Jan 29 00:17:35 2023 daemon.info : 15[NET] received packet: from 192.168.10.75[500] to 192.168.10.235[500] (604 bytes)

Sun Jan 29 00:17:35 2023 daemon.info : 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

Sun Jan 29 00:17:36 2023 daemon.info : 15[IKE] 192.168.10.75 is initiating an IKE_SA

Sun Jan 29 00:17:36 2023 authpriv.info : 15[IKE] 192.168.10.75 is initiating an IKE_SA

Sun Jan 29 00:17:36 2023 daemon.info : 15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

Sun Jan 29 00:17:36 2023 daemon.info : 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]

Sun Jan 29 00:17:36 2023 daemon.info : 15[NET] sending packet: from 192.168.10.235[500] to 192.168.10.75[500] (456 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 12[NET] received packet: from 192.168.10.75[4500] to 192.168.10.235[4500] (512 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 12[ENC] unknown attribute type INTERNAL_DNS_DOMAIN

Sun Jan 29 00:17:36 2023 daemon.info : 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]

Sun Jan 29 00:17:36 2023 daemon.info : 12[CFG] looking for peer configs matching 192.168.10.235[www.molvizar.net]...192.168.10.75[SolaresVPN]

Sun Jan 29 00:17:36 2023 daemon.info : 12[CFG] selected peer config 'rw-eapmschapv2'

Sun Jan 29 00:17:36 2023 daemon.info : 12[IKE] initiating EAP_IDENTITY method (id 0x00)

Sun Jan 29 00:17:36 2023 daemon.info : 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

Sun Jan 29 00:17:36 2023 daemon.info : 12[IKE] peer supports MOBIKE

Sun Jan 29 00:17:36 2023 daemon.info : 12[IKE] authentication of 'www.molvizar.net' (myself) with RSA signature successful

Sun Jan 29 00:17:36 2023 daemon.info : 12[IKE] sending end entity cert "C=ES, O=Molvizar, CN=www.molvizar.net"

Sun Jan 29 00:17:36 2023 daemon.info : 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]

Sun Jan 29 00:17:36 2023 daemon.info : 12[NET] sending packet: from 192.168.10.235[4500] to 192.168.10.75[4500] (1232 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 13[NET] received packet: from 192.168.10.75[4500] to 192.168.10.235[4500] (96 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 13[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]

Sun Jan 29 00:17:36 2023 daemon.info : 13[IKE] received EAP identity 'SolaresVPN'

Sun Jan 29 00:17:36 2023 daemon.info : 13[IKE] initiating EAP_MSCHAPV2 method (id 0x1F)

Sun Jan 29 00:17:36 2023 daemon.info : 13[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]

Sun Jan 29 00:17:36 2023 daemon.info : 13[NET] sending packet: from 192.168.10.235[4500] to 192.168.10.75[4500] (112 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 11[NET] received packet: from 192.168.10.75[4500] to 192.168.10.235[4500] (80 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 11[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]

Sun Jan 29 00:17:36 2023 daemon.info : 11[IKE] received EAP_NAK, sending EAP_FAILURE

Sun Jan 29 00:17:36 2023 daemon.info : 11[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ]

Sun Jan 29 00:17:36 2023 daemon.info : 11[NET] sending packet: from 192.168.10.235[4500] to 192.168.10.75[4500] (80 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 06[NET] received packet: from 192.168.10.75[500] to 192.168.10.235[500] (604 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

Sun Jan 29 00:17:36 2023 daemon.info : 06[IKE] 192.168.10.75 is initiating an IKE_SA

Sun Jan 29 00:17:36 2023 authpriv.info : 06[IKE] 192.168.10.75 is initiating an IKE_SA

Sun Jan 29 00:17:36 2023 daemon.info : 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

Sun Jan 29 00:17:36 2023 daemon.info : 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]

Sun Jan 29 00:17:36 2023 daemon.info : 06[NET] sending packet: from 192.168.10.235[500] to 192.168.10.75[500] (456 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 10[NET] received packet: from 192.168.10.75[4500] to 192.168.10.235[4500] (512 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 10[ENC] unknown attribute type INTERNAL_DNS_DOMAIN

Sun Jan 29 00:17:36 2023 daemon.info : 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]

Sun Jan 29 00:17:36 2023 daemon.info : 10[CFG] looking for peer configs matching 192.168.10.235[www.molvizar.net]...192.168.10.75[SolaresVPN]

Sun Jan 29 00:17:36 2023 daemon.info : 10[CFG] selected peer config 'rw-eapmschapv2'

Sun Jan 29 00:17:36 2023 daemon.info : 10[IKE] initiating EAP_IDENTITY method (id 0x00)

Sun Jan 29 00:17:36 2023 daemon.info : 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

Sun Jan 29 00:17:36 2023 daemon.info : 10[IKE] peer supports MOBIKE

Sun Jan 29 00:17:36 2023 daemon.info : 10[IKE] authentication of 'www.molvizar.net' (myself) with RSA signature successful

Sun Jan 29 00:17:36 2023 daemon.info : 10[IKE] sending end entity cert "C=ES, O=Molvizar, CN=www.molvizar.net"

Sun Jan 29 00:17:36 2023 daemon.info : 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]

Sun Jan 29 00:17:36 2023 daemon.info : 10[NET] sending packet: from 192.168.10.235[4500] to 192.168.10.75[4500] (1232 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 15[NET] received packet: from 192.168.10.75[4500] to 192.168.10.235[4500] (96 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]

Sun Jan 29 00:17:36 2023 daemon.info : 15[IKE] received EAP identity 'SolaresVPN'

Sun Jan 29 00:17:36 2023 daemon.info : 15[IKE] initiating EAP_MSCHAPV2 method (id 0x35)

Sun Jan 29 00:17:36 2023 daemon.info : 15[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]

Sun Jan 29 00:17:36 2023 daemon.info : 15[NET] sending packet: from 192.168.10.235[4500] to 192.168.10.75[4500] (112 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 14[NET] received packet: from 192.168.10.75[4500] to 192.168.10.235[4500] (80 bytes)

Sun Jan 29 00:17:36 2023 daemon.info : 14[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]

Sun Jan 29 00:17:36 2023 daemon.info : 14[IKE] received EAP_NAK, sending EAP_FAILURE

Sun Jan 29 00:17:36 2023 daemon.info : 14[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ]

Sun Jan 29 00:17:36 2023 daemon.info : 14[NET] sending packet: from 192.168.10.235[4500] to 192.168.10.75[4500] (80 bytes)

swanctl.conf

connections {
   rw-eapmschapv2 {
      include ./common.conf
      remote-eapmschapv2 {
         auth = eap-mschapv2
         eap_id = %any
      }
      send_certreq = no
      send_cert = always
   }
   rw-eapmschapv2ios {
      include ./common.conf
      remote-eapmschapv2ios {
         auth = eap-mschapv2
         eap_id = %any
      }
      send_certreq = no
      send_cert = always
   }
   rw-eaptls {
      include ./common.conf
      remote-eaptls {
         auth = eap-tls
         certs = clientCert_SolaresVPN.pem
      }
      send_certreq = no
   }
   rw-eaptlsios {
      include ./common.conf
      remote-eaptlsios {
         auth = eap-tls
         certs = clientCert_SolaresVPN.pem
         id = myVpnClients
      }
      send_certreq = no
      send_cert = always
   }
   rw-pubkey {
      include ./common.conf
      remote-pubkey {
         auth = pubkey
         certs = clientCert_SolaresVPN.pem
      }
      send_certreq = no
   }
   rw-pubkeyios {
      include ./common.conf
      remote-pubkeyios {
         auth = pubkey
         certs = clientCert_SolaresVPN.pem
         id = myVpnClients
      }
      send_certreq = no
      send_cert = always
   }
}

secrets {
   rsa- {
      filename="serverCert_www.molvizar.net.pem"
   }
   eap-remoteuser {
      id = diego 
      secret = 031219671
   }
}

pools {
    strongswanippool {
        addrs = 192.168.1.0/24
		dns = 192.168.1.1
    }
}

# Include config snippets
include conf.d/*.conf

# include /var/swanctl/swanctl.conf

common.conf

      local_addrs  = 0.0.0.0/0,::/0
      remote_addrs = 0.0.0.0/0,::/0
      local {
         auth = pubkey
         certs = serverCert_www.molvizar.net.pem
         id = www.molvizar.net
      }
      children {
         ikev2clients {
            local_ts  = 0.0.0.0/0;::/0
            esp_proposals = default
         }
      }
      pools = strongswanippool 
      unique = never
      version = 2
      proposals = default

I am testing the setup on an internal network.

I am trying to use iOS as an IKEv2 client

Thanks.

5

Is this method a requirement for you? WireGuard is really easy to setup and very performant and is supported on essentially every major platform in use today. OpenVPN is quite a bit more work to setup (and far less efficient), but can also work well on OpenWrt and most other OSs.

6

I haven't actually used EAP, but a quick review of https://docs.strongswan.org/docs/5.9/interop/windowsEapServerConf.html suggests that numerous thing are wrong here.

  • Configure a single connection instance. Alternative forms of EAP to meet client compatibility can be supported inside a single instance.
  • The server is identified with a certificate. The client must have a copy of the public part of the CA that was used to sign that certificate. The server's identity must be in a SAN of the certificate.
  • MSCHAPV2 is a user:password paradigm, which requires the server to refer to a database of users and passwords-- in the simple case that is a secrets block of configuration.
  • EAP-TLS requires installing a certificate and private key on the client. Typically it is signed to the same CA as the server certificate.

This suggests the client killed the process, possibly because it received something that was incomplete or incompatible with its configuration.

7

I have managed to connect an iOS phone to the VPN with StrongSwan with IKEv2. The problem was that you need to install the kmod-crypto-gcm module.

The article https://openwrt.org/docs/guide-user/services/vpn/strongswan/roadwarrior is not at all clear on mixing various protocols and OpenWRT versions.

The problem now is to define the interface and device in order to assign it a firewall zone.

I have followed all the instructions in the article Traffic is dropped for IPsec with firewall4 and the variables and adaptations that I have been seeing in the documentation, but I cannot for the client to access the LAN or exit through the WAN.

There is no problem in pinging the connected device from the router and vice versa, but the interface does not appear in ifconfig and I cannot access, for example, the LUCI interface.

IMG_1619C9118320-1
IMG_1619C9118320-11284×2778 164 KB

Any advice?

Thanks

8

Hi Diego,

I think, ideally you provide the following file contents:

/etc/config/firewall
/etc/config/network
/etc/nftables.d/20-ipsec.nft
/etc/strongswan.d/charon/attr.conf
/etc/swanctl/common.conf
/etc/swanctl/swanctl.conf

We are looking for a number of things...

First, let's make sure you don't have conflicting settings in your config. In your /etc/config/dhcp there should be no entry for serving dhcp on your VPN interface. You do have your strongswanippool in your swanctl.conf that takes care of issuing ip addresses to clients.

Second, let's make sure you do have a VPN interface in your /etc/config/network configuration that has a static ip address not in conflict with anything else. I think in your case it should be 192.168.1.1.

Third, let's make sure you have a vpn zone in your /etc/config/firewall config that lists the VPN interface from your /etc/config/network config as member. That zone must allow forwarding to your other zones.

Let's start analysis now!

Prepare yourself to connect to your VPN from your phone, by running a swanctl --log command on your router. Please provide the output from that command as you establish your connection.

After the connection is established, please provide the output you get from a ip route show table 220 command on your router.

Next, please setup a monitor trace on your router by issuing the following 3 commands.

> nft add chain inet fw4 trace_chain { type filter hook prerouting priority -301\; }
> nft add rule inet fw4 trace_chain udp dport 53 meta nftrace set 1
> nft monitor trace

Now you need to issue a DNS query from your phone (i.e., try getting to a website in your browser). Please provide the output from the monitor.

Also, some closing thoughts...

A) I don't know how much strongswan cares, but your local_ts = 0.0.0.0/0;::/0 in your /etc/swanctl/common.conf should have a comma and not a semicolon between the settings. It should be local_ts = 0.0.0.0/0, ::/0

B) In my setup I do a split tunnel and have my clients only route traffic for my network through VPN. Everything else goes directly to the internet from my clients. In my /etc/swanctl/common.conf I have local_ts = 10.10.20.0/29, 10.10.10.0/24 declared. The first network goes to my VPN interface and the second goes to LAN.

C) in my strongswanippool (in the /etc/swanctl/swanctl.conf file) I have addrs = 10.10.20.2-10.10.20.6 declared. The first address in that network (10.10.20.1) is the static IP of my VPN interface and clients cannot be assigned that.

9

Hello.

I have done a fresh installation. With everything clean. I am using x86 version of OpenWRT 22.03.3 (https://downloads.openwrt.org/releases/22.03.3/targets/x86/64/openwrt-22.03.3-x86-64-generic-ext4-combined.img.gz)

opkg update

opkg install strongswan-full kmod-crypto-gcm openssl-util iptables-nft openssh-sftp-server

/etc/init.d/ipsec stop
/etc/init.d/ipsec disable

/etc/init.d/swanctl enable
/etc/init.d/swanctl start

swanctl --load-all

curl SSL backend 'mbedTLS/2.28.2' not supported, https:// disabled
no files found matching '/etc/swanctl/conf.d/*.conf'
loaded certificate from '/etc/swanctl/x509/serverCert_vpn.prueba.net.pem'
loaded certificate from '/etc/swanctl/x509/clientCert_SolaresVPN.pem'
loaded certificate from '/etc/swanctl/x509ca/caCert.pem'
loaded RSA key from '/etc/swanctl/private/serverKey_vpn.prueba.net.pem'
loaded eap secret 'eap-remoteuser'
no authorities found, 0 unloaded
loaded pool 'strongswanippool'
successfully loaded 1 pools, 0 unloaded
loaded connection 'rw-eapmschapv2'
loaded connection 'rw-eapmschapv2ios'
loaded connection 'rw-eaptls'
loaded connection 'rw-eaptlsios'
loaded connection 'rw-pubkey'
loaded connection 'rw-pubkeyios'
successfully loaded 6 connections, 0 unloaded

swanctl --log

curl SSL backend 'mbedTLS/2.28.2' not supported, https:// disabled
13[NET] received packet: from 192.168.10.75[500] to 192.168.10.224[500] (604 bytes)
13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
13[IKE] 192.168.10.75 is initiating an IKE_SA
13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
13[NET] sending packet: from 192.168.10.224[500] to 192.168.10.75[500] (456 bytes)
06[NET] received packet: from 192.168.10.75[4500] to 192.168.10.224[4500] (512 bytes)
06[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
06[CFG] looking for peer configs matching 192.168.10.224[www.prueba.net]...192.168.10.75[SolaresVPN]
06[CFG] no matching peer config found
06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
06[IKE] peer supports MOBIKE
06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
06[NET] sending packet: from 192.168.10.224[4500] to 192.168.10.75[4500] (80 bytes)
15[NET] received packet: from 192.168.10.75[500] to 192.168.10.224[500] (604 bytes)
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
15[IKE] 192.168.10.75 is initiating an IKE_S
15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
15[NET] sending packet: from 192.168.10.224[500] to 192.168.10.75[500] (456 bytes)
13[NET] received packet: from 192.168.10.75[4500] to 192.168.10.224[4500] (512 bytes)
13[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
13[CFG] looking for peer configs matching 192.168.10.224[www.prueba.net]...192.168.10.75[SolaresVPN]
13[CFG] no matching peer config found
13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
13[IKE] peer supports MOBIKE
13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
13[NET] sending packet: from 192.168.10.224[4500] to 192.168.10.75[4500] (80 bytes)

With include of nfttables section:

/dev/stdin:105:3-6: Error: syntax error, unexpected meta, expecting newline or semicolon
		meta nfproto ipv4 udp dport 68 counter accept comment "!fw4: Allow-DHCP-Renew"
		^^^^
/dev/stdin:125:3-6: Error: syntax error, unexpected meta, expecting newline or semicolon
		meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
		^^^^
The rendered ruleset contains errors, not doing firewall restart.

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule 'ipsec_esp'
	option src 'wan'
	option name 'IPSec ESP'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'ipsec_ike'
	option src 'wan'
	option name 'IPSec IKE'
	option proto 'udp'
	option dest_port '500'
	option target 'ACCEPT'

config rule 'ipsec_nat_traversal'
	option src 'wan'
	option name 'IPSec NAT-T'
	option proto 'udp'
	option dest_port '4500'
	option target 'ACCEPT'

config rule 'ipsec_auth_header'
	option src 'wan'
	option name 'Auth Header'
	option proto 'ah'
	option target 'ACCEPT'

config rule
	option name 'AllowIPsec2WAN'
	list proto 'all'
	option src 'wan'
	option dest 'wan'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'van'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'


config include                        
        option type             'nftables'
        option path             '/etc/fwuser.nft'
        option position         'chain-pre'     
        option chain            'input_wan'
           
config include                        
        option type             'nftables'
        option path             '/etc/fwuser.nft'
        option position         'chain-pre'
        option chain            'forward_wan'

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdef:e738:16ae::/48'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'eth0'
	list dns '1.1.1.3'
	list dns '1.0.0.3'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option type 'veth'
	option name 'veth0'
	option txqueuelen '1000'
	option ipv6 '0'
	option mtu '1500'

config interface 'VPN'
	option proto 'static'
	option device 'veth0'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.3'
	list dns '1.0.0.3'

/etc/nftables.d/20-ipsec.nft

chain ipsec_chain {
     type nat hook postrouting priority -1;
     ip daddr 192.168.3.0/24 counter accept
}

chain forward {
     type filter hook forward priority 0;
     ip saddr 192.168.3.0/24 counter drop
}

/etc/strongswan.d/charon/attr.conf

# Section to specify arbitrary attributes that are assigned to a peer via
# configuration payload (CP).
attr {

    # <attr> is an attribute name or an integer, values can be an IP address,
    # subnet or arbitrary value.
    # <attr> =

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

}

/etc/swanctl/common.conf

      local_addrs  = 0.0.0.0/0,::/0
      remote_addrs = 0.0.0.0/0,::/0
      local {
         auth = pubkey
         certs = serverCert_vpn.prueba.net.pem
         id = vpn.prueba.net
      }
      children {
         ikev2clients {
            local_ts  = 0.0.0.0/0,::/0
            esp_proposals = default
         }
      }
      pools = strongswanippool 
      unique = never
      version = 2
      proposals = default

/etc/swanctl/swanctl.conf

connections {
   rw-eapmschapv2 {
      include ./common.conf
      remote-eapmschapv2 {
         auth = eap-mschapv2
         eap_id = %any
      }
      send_certreq = no
      send_cert = always
   }
   rw-eapmschapv2ios {
      include ./common.conf
      remote-eapmschapv2ios {
         auth = eap-mschapv2
         eap_id = %any
      }
      send_certreq = no
      send_cert = always
   }
   rw-eaptls {
      include ./common.conf
      remote-eaptls {
         auth = eap-tls
         certs = clientCert_SolaresVPN.pem
      }
      send_certreq = no
   }
   rw-eaptlsios {
      include ./common.conf
      remote-eaptlsios {
         auth = eap-tls
         certs = clientCert_SolaresVPN.pem
         id = SolaresVPN
      }
      send_certreq = no
      send_cert = always
   }
   rw-pubkey {
      include ./common.conf
      remote-pubkey {
         auth = pubkey
         certs = clientCert_SolaresVPN.pem
      }
      send_certreq = no
   }
   rw-pubkeyios {
      include ./common.conf
      remote-pubkeyios {
         auth = pubkey
         certs = clientCert_SolaresVPN.pem
         id = SolaresVPN
      }
      send_certreq = no
      send_cert = always
   }
}

secrets {
   rsa- {
      filename="serverKey_vpn.prueba.net.pem"
   }
   eap-remoteuser {
      id = remoteusername 
      secret = secretpassword
   }
}

pools {
    strongswanippool {
        addrs = 192.168.3.5-192.168.3.10
		dns = 192.168.1.1
		subnet = 0.0.0.0/0
    }
}

# Include config snippets
include conf.d/*.conf

# No migration
# include /var/swanctl/swanctl.conf

logread -f

Sun Feb  5 04:08:24 2023 daemon.info : 16[NET] received packet: from 192.168.10.75[500] to 192.168.10.224[500] (604 bytes)
Sun Feb  5 04:08:24 2023 daemon.info : 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sun Feb  5 04:08:24 2023 daemon.info : 16[IKE] 192.168.10.75 is initiating an IKE_SA
Sun Feb  5 04:08:24 2023 authpriv.info : 16[IKE] 192.168.10.75 is initiating an IKE_SA
Sun Feb  5 04:08:24 2023 daemon.info : 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sun Feb  5 04:08:24 2023 daemon.info : 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sun Feb  5 04:08:24 2023 daemon.info : 16[NET] sending packet: from 192.168.10.224[500] to 192.168.10.75[500] (456 bytes)
Sun Feb  5 04:08:24 2023 daemon.info : 12[NET] received packet: from 192.168.10.75[4500] to 192.168.10.224[4500] (512 bytes)
Sun Feb  5 04:08:24 2023 daemon.info : 12[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Sun Feb  5 04:08:24 2023 daemon.info : 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Sun Feb  5 04:08:24 2023 daemon.info : 12[CFG] looking for peer configs matching 192.168.10.224[www.prueba.net]...192.168.10.75[SolaresVPN]
Sun Feb  5 04:08:24 2023 daemon.info : 12[CFG] no matching peer config found
Sun Feb  5 04:08:24 2023 daemon.info : 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sun Feb  5 04:08:24 2023 daemon.info : 12[IKE] peer supports MOBIKE
Sun Feb  5 04:08:24 2023 daemon.info : 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sun Feb  5 04:08:24 2023 daemon.info : 12[NET] sending packet: from 192.168.10.224[4500] to 192.168.10.75[4500] (80 bytes)
Sun Feb  5 04:08:24 2023 daemon.info : 06[NET] received packet: from 192.168.10.75[500] to 192.168.10.224[500] (604 bytes)
Sun Feb  5 04:08:24 2023 daemon.info : 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sun Feb  5 04:08:24 2023 daemon.info : 06[IKE] 192.168.10.75 is initiating an IKE_SA
Sun Feb  5 04:08:24 2023 authpriv.info : 06[IKE] 192.168.10.75 is initiating an IKE_SA
Sun Feb  5 04:08:24 2023 daemon.info : 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sun Feb  5 04:08:24 2023 daemon.info : 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sun Feb  5 04:08:24 2023 daemon.info : 06[NET] sending packet: from 192.168.10.224[500] to 192.168.10.75[500] (456 bytes)
Sun Feb  5 04:08:24 2023 daemon.info : 07[NET] received packet: from 192.168.10.75[4500] to 192.168.10.224[4500] (512 bytes)
Sun Feb  5 04:08:24 2023 daemon.info : 07[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Sun Feb  5 04:08:24 2023 daemon.info : 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Sun Feb  5 04:08:24 2023 daemon.info : 07[CFG] looking for peer configs matching 192.168.10.224[www.prueba.net]...192.168.10.75[SolaresVPN]
Sun Feb  5 04:08:24 2023 daemon.info : 07[CFG] no matching peer config found
Sun Feb  5 04:08:24 2023 daemon.info : 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sun Feb  5 04:08:24 2023 daemon.info : 07[IKE] peer supports MOBIKE
Sun Feb  5 04:08:24 2023 daemon.info : 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sun Feb  5 04:08:24 2023 daemon.info : 07[NET] sending packet: from 192.168.10.224[4500] to 192.168.10.75[4500] (80 bytes)

nft add chain inet fw4 trace_chain { type filter hook prerouting priority -301; }
nft add rule inet fw4 trace_chain udp dport 53 meta nftrace set 1
nft monitor trace

trace id 9234b3e6 inet fw4 trace_chain packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44117 ip protocol udp ip length 72 udp sport 36846 udp dport 53 udp length 52 @th,64,96 0xdd201200001000000000000 
trace id 9234b3e6 inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)
trace id 9234b3e6 inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)
trace id 9234b3e6 inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)
trace id 9234b3e6 inet fw4 trace_chain verdict continue 
trace id 9234b3e6 inet fw4 trace_chain policy accept 
trace id 9234b3e6 inet fw4 raw_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44117 ip protocol udp ip length 72 udp sport 36846 udp dport 53 udp length 52 @th,64,96 0xdd201200001000000000000 
trace id 9234b3e6 inet fw4 raw_prerouting verdict continue 
trace id 9234b3e6 inet fw4 raw_prerouting policy accept 
trace id 9234b3e6 inet fw4 mangle_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44117 ip protocol udp ip length 72 udp sport 36846 udp dport 53 udp length 52 @th,64,96 0xdd201200001000000000000 
trace id 9234b3e6 inet fw4 mangle_prerouting verdict continue 
trace id 9234b3e6 inet fw4 mangle_prerouting policy accept 
trace id 9234b3e6 inet fw4 prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44117 ip protocol udp ip length 72 udp sport 36846 udp dport 53 udp length 52 @th,64,96 0xdd201200001000000000000 
trace id 9234b3e6 inet fw4 prerouting verdict continue 
trace id 9234b3e6 inet fw4 prerouting policy accept 
trace id 9234b3e6 inet fw4 mangle_input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44117 ip protocol udp ip length 72 udp sport 36846 udp dport 53 udp length 52 @th,64,96 0xdd201200001000000000000 
trace id 9234b3e6 inet fw4 mangle_input verdict continue 
trace id 9234b3e6 inet fw4 mangle_input policy accept 
trace id 9234b3e6 inet fw4 input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44117 ip protocol udp ip length 72 udp sport 36846 udp dport 53 udp length 52 @th,64,96 0xdd201200001000000000000 
trace id 9234b3e6 inet fw4 input rule iifname "lo" accept comment "!fw4: Accept traffic from loopback" (verdict accept)
trace id 39882bfb inet fw4 trace_chain packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44118 ip protocol udp ip length 73 udp sport 36846 udp dport 53 udp length 53 @th,64,96 0xe73b01200001000000000000 
trace id 39882bfb inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)
trace id 39882bfb inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)
trace id 39882bfb inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)
trace id 39882bfb inet fw4 trace_chain verdict continue 
trace id 39882bfb inet fw4 trace_chain policy accept 
trace id 39882bfb inet fw4 raw_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44118 ip protocol udp ip length 73 udp sport 36846 udp dport 53 udp length 53 @th,64,96 0xe73b01200001000000000000 
trace id 39882bfb inet fw4 raw_prerouting verdict continue 
trace id 39882bfb inet fw4 raw_prerouting policy accept 
trace id 39882bfb inet fw4 mangle_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44118 ip protocol udp ip length 73 udp sport 36846 udp dport 53 udp length 53 @th,64,96 0xe73b01200001000000000000 
trace id 39882bfb inet fw4 mangle_prerouting verdict continue 
trace id 39882bfb inet fw4 mangle_prerouting policy accept 
trace id 39882bfb inet fw4 prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44118 ip protocol udp ip length 73 udp sport 36846 udp dport 53 udp length 53 @th,64,96 0xe73b01200001000000000000 
trace id 39882bfb inet fw4 prerouting verdict continue 
trace id 39882bfb inet fw4 prerouting policy accept 
trace id 39882bfb inet fw4 mangle_input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44118 ip protocol udp ip length 73 udp sport 36846 udp dport 53 udp length 53 @th,64,96 0xe73b01200001000000000000 
trace id 39882bfb inet fw4 mangle_input verdict continue 
trace id 39882bfb inet fw4 mangle_input policy accept 
trace id 39882bfb inet fw4 input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44118 ip protocol udp ip length 73 udp sport 36846 udp dport 53 udp length 53 @th,64,96 0xe73b01200001000000000000 
trace id 39882bfb inet fw4 input rule iifname "lo" accept comment "!fw4: Accept traffic from loopback" (verdict accept)
trace id 39882bfb inet fw4 trace_chain packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 44119 ip protocol udp ip length 70 udp sport 36846 udp dport 53 udp length 50 @th,64,96 0xd42a01200001000000000000 
trace id 39882bfb inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)
trace id 39882bfb inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)
trace id 39882bfb inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)

I have reviewed everything comparing it with the previous one. Now I can't connect.

I have the following error in the interface:

image
image986×127 14 KB

I don't know what I'm doing wrong.

I heve:

Lan - eth0 : 192.168.1.0/24
VPN - veth0 (virtual interface): 192.168.3.0/24
StrongSwanPool: 192.168.3.5-192.168.3.10
WAN (eth1): dhcp

Everything is very simple.

I can send you all configuration.

Tanks

10

Hi Diego,

I am not sure that a virtual ethernet (VETH) is the right call. Full disclosure, I say this because I don't have experience with VETH. Maybe check out this article from RedHat for more info on what VETH is good for.

Anyway, can you use LUCI and create two devices. First you create a 802.1q VLAN device that points to your eth0 device. You can pick any VLAN number greater than 1 and smaller than 4096 (i.e., 20). Next, create a device of type bridge and tie that to your VLAN. Then you can create your VPN interface against that bridge. Use LUCI to do it to avoid config mistakes. Below is an example what the 3 sections could look like for you:

/etc/config/network 
config device
	option type   '8021q'
	option ifname 'eth0'
	option vid    '20'
	option name   'eth0.20'

config device
	option type 'bridge'
	option name 'br-vpn'
	list ports	'eth0.20'

config interface 'VPN'
	option proto    'static'
	option device   'br-vpn'
	option ipaddr   '192.168.3.1'
	option netmask  '255.255.255.0'
	list dns        '1.1.1.3'
	list dns        '1.0.0.3'

Now, I don't know if you noticed, but your firewall config has a typo. Your config defines the zone against a non-existing interface:

/etc/config/firewall (your version with typo in network name) 
config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'van'

Correct the typo and add list masq_dest '!192.168.3.0/24' to your WAN zone:

/etc/config/firewall (only the two changed sections) 
config zone
	option name		'vpn'
	list network		'VPN'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT
	option masq		1

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list masq_dest	'!192.168.3.0/24'

Can you please make sure your /etc/fwuser.nft looks like this:

/etc/fwuser.nft 
meta ipsec exists ip saddr 192.168.3.0/24 counter accept comment "custom: allow for vpn"

In your /etc/swanctl/swanctl.conf try changing the ip pool as follows:

/etc/swanctl/swanctl.conf 
pools {
    strongswanippool {
        addrs = 192.168.3.5-192.168.3.10
		dns = 192.168.3.1
    }
}

In your /etc/strongswan.d/charon/attr.conf try defining your attr section as below. For attribute 25 you need to supply the same name as you have defined for option domain in the dnsmasq section of your /etc/config/dhcp configuration.

/etc/strongswan.d/charon/attr.conf 
attr {
    3  = 192.168.3.1
    25 = lan
    load = yes
}

Last, but not least: you need to run your DNS query (to kick feed your nft trace) from a client that is connected via VPN. Your trace looks like you ran your DNS query from your OpenWrt router directly (maybe I am wrong - please let me know). You need to do the nft trace on your router, but issue the DNS query from a client.

11

XFRM is the most recent way to link and route IPSec. It works great in a point to point / site to site use case though I'm not sure how it would look for a multiple client road warrior server.

12

Thanks andesu and everyone.

Now I can browse internet!!!!!

This is my setup for years.

image
image986×380 26.5 KB

The main router is a quad core i5 with 8GB of RAM, 256GB of SSD and 6 network cards.

I only want the VPN to be able to connect from my phone or a laptop to perform basic management tasks on time.

I currently have a Raspberry PI dedicated as an ipsec/l2tp server. It works fine, but I want to remove stuff and have all network services in one place.

But I can't access the LAN or any other zone. DNS seems to be the only thing that works.

I have followed all instructions and advice. I've tried playing with the VPN zone on the firewall, but I can't get it to work.

I have also tried it with the network settings.

  • bridge br-vpn
  • VLAN 30 - eth0.30 (eth0 is the lan). My ISP use VLAN 20 on WAN.

I can ping any address. 8.8.8.8, www.google.com, 192.168.2.1 (LAN), 192.168.10.220(WAN), 192.168.3.1 (br-vpn), but I can't ping a PC connected on the LAN (192.168.2.100) .

I think I'm close, but I can't find the problem.

I am currently doing the tests with a computer connected to my lan to make the connection. It's a mini lab. The WAN of the lab is in the LAN of my actual network.

If we get it working, I promise to make a detailed step by step tutorial.

Thanks a lot.

Setup

opkg update
opkg install strongswan-full kmod-crypto-gcm openssl-util iptables-nft

/etc/init.d/ipsec stop
/etc/init.d/ipsec disable

mv /etc/ipsec.conf /etc/ipsec.conf.old
mv /etc/ipsec.secrets /etc/ipsec.secrets.old
mv /etc/ipsec.user /etc/ipsec.user.old

mv /etc/ipsec.d /etc/ipsec.d.old

/etc/init.d/swanctl enable
/etc/init.d/swanctl start

/etc/nftables.d/20-ipsec.nft 
chain ipsec_chain {
     type nat hook postrouting priority -1;
     ip daddr 192.168.3.0/28 counter accept
}

chain forward {
     type filter hook forward priority 0;
     ip saddr 192.168.3.0/28 counter drop
}

By the way, it is very important to leave at least one blank line at the end of the file "/etc/nftables.d/20-ipsec.nft". If it is not left it gives the meta error...

/dev/stdin:105:3-6: Error: syntax error, unexpected meta, expecting newline or semicolon
		meta nfproto ipv4 udp dport 68 counter accept comment "!fw4: Allow-DHCP-Renew"
		^^^^
/dev/stdin:125:3-6: Error: syntax error, unexpected meta, expecting newline or semicolon
		meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
		^^^^
The rendered ruleset contains errors, not doing firewall restart.
/etc/swamctl/common.conf 
      local_addrs  = 0.0.0.0/0,::/0
      remote_addrs = 0.0.0.0/0,::/0
      local {
         auth = pubkey
         certs = serverCert_vpn.molvizar.net.pem
         id = vpn.molvizar.net
      }
      children {
         ikev2clients {
            local_ts  = 192.168.3.0/28, 192.168.2.0/24
            esp_proposals = default
         }
      }
      pools = strongswanippool 
      unique = never
      version = 2
      proposals = default
/etc/strongswan.d/attr.conf 
# Section to specify arbitrary attributes that are assigned to a peer via
# configuration payload (CP).
attr {

    # <attr> is an attribute name or an integer, values can be an IP address,
    # subnet or arbitrary value.
    # <attr> =

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    3  = 192.168.3.1
    25 = lan
    load = yes

}
/etc/strongswan.conf 
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
	load_modular = yes
	plugins {
		include strongswan.d/charon/*.conf
	}
    start-scripts {
        load-all = /usr/sbin/swanctl --load-all
    } 
}

include strongswan.d/*.conf

# include /var/ipsec/strongswan.conf
/etc/config/firewall 
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list masq_dest '!192.168.3.0/28'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule 'ipsec_esp'
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule 'ipsec_ike'
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'ipsec_nat_traversal'
	option src 'wan'
	option name 'Allow-IPSec-NAT-T'
	option proto 'udp'
	option dest_port '4500'
	option target 'ACCEPT'

config rule 'ipsec_auth_header'
	option src 'wan'
	option name 'Allow-Auth-Header'
	option proto 'ah'
	option target 'ACCEPT'

config zone
	option name 'apt231'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'apt231'

config zone
	option name 'apt232'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'apt232'

config zone
	option name 'garaje'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'garaje'

config forwarding
	option src 'lan'
	option dest 'apt231'

config forwarding
	option src 'lan'
	option dest 'apt232'

config forwarding
	option src 'lan'
	option dest 'garaje'

config forwarding
	option src 'apt231'
	option dest 'wan'

config forwarding
	option src 'apt232'
	option dest 'wan'

config forwarding
	option src 'garaje'
	option dest 'wan'


config rule
	option name 'AllowIPsec2WAN'
	list proto 'all'
	option src 'wan'
	option dest 'wan'
	option target 'ACCEPT'

config include
	option type 'nftables'
	option path '/etc/fwuser.nft'
	option position 'chain-pre'
	option chain 'input_wan'

config include
	option type 'nftables'
	option path '/etc/fwuser.nft'
	option position 'chain-pre'
	option chain 'forward_wan'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'vpn'
	option forward 'ACCEPT'
	option masq '1'
/etc/fwuser.nft 
meta ipsec exists ip saddr 192.168.3.0/28 counter accept comment "custom: allow for vpn"
/etc/config/network 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fded:05b9:85cc::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'eth0'
	option ipaddr '192.168.2.1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'eth0'

config device
	option name 'eth1'
	option ipv6 '0'

config interface 'apt231'
	option proto 'static'
	option device 'eth2'
	option ipaddr '192.168.231.1'
	option netmask '255.255.255.240'
	list dns '1.1.1.3'
	list dns '1.0.0.3'

config interface 'apt232'
	option proto 'static'
	option ipaddr '192.168.232.1'
	option netmask '255.255.255.240'
	list dns '1.1.1.3'
	list dns '1.0.0.3'
	option device 'eth4'

config interface 'garaje'
	option proto 'static'
	option ipaddr '192.168.200.1'
	option netmask '255.255.255.240'
	list dns '1.1.1.3'
	list dns '1.0.0.3'
	option device 'eth3'

config device
	option name 'eth5'
	option ipv6 '0'

config device
	option name 'eth2'
	option ipv6 '0'

config device
	option name 'eth3'
	option ipv6 '0'

config device
	option name 'eth4'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '30'
	option name 'eth0.30'
	option ipv6 '0'

config interface 'vpn'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.240'
	list dns '1.1.1.3'
	list dns '1.0.0.3'
	option device 'eth0.30'
nft monitor trace 
trace id c527376c inet fw4 trace_chain packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54991 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x36eb01200001000000000000

trace id c527376c inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)

trace id c527376c inet fw4 trace_chain verdict continue

trace id c527376c inet fw4 trace_chain policy accept

trace id c527376c inet fw4 raw_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54991 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x36eb01200001000000000000

trace id c527376c inet fw4 raw_prerouting verdict continue

trace id c527376c inet fw4 raw_prerouting policy accept

trace id c527376c inet fw4 mangle_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54991 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x36eb01200001000000000000

trace id c527376c inet fw4 mangle_prerouting verdict continue

trace id c527376c inet fw4 mangle_prerouting policy accept

trace id c527376c inet fw4 prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54991 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x36eb01200001000000000000

trace id c527376c inet fw4 prerouting verdict continue

trace id c527376c inet fw4 prerouting policy accept

trace id c527376c inet fw4 mangle_input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54991 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x36eb01200001000000000000

trace id c527376c inet fw4 mangle_input verdict continue

trace id c527376c inet fw4 mangle_input policy accept

trace id c527376c inet fw4 input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54991 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x36eb01200001000000000000

trace id c527376c inet fw4 input rule iifname "lo" accept comment "!fw4: Accept traffic from loopback" (verdict accept)

trace id c02cef77 inet fw4 trace_chain packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54992 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xa1bb01200001000000000000

trace id c02cef77 inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)

trace id c02cef77 inet fw4 trace_chain verdict continue

trace id c02cef77 inet fw4 trace_chain policy accept

trace id c02cef77 inet fw4 raw_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54992 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xa1bb01200001000000000000

trace id c02cef77 inet fw4 raw_prerouting verdict continue

trace id c02cef77 inet fw4 raw_prerouting policy accept

trace id c02cef77 inet fw4 mangle_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54992 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xa1bb01200001000000000000

trace id c02cef77 inet fw4 mangle_prerouting verdict continue

trace id c02cef77 inet fw4 mangle_prerouting policy accept

trace id c02cef77 inet fw4 prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54992 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xa1bb01200001000000000000

trace id c02cef77 inet fw4 prerouting verdict continue

trace id c02cef77 inet fw4 prerouting policy accept

trace id c02cef77 inet fw4 mangle_input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54992 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xa1bb01200001000000000000

trace id c02cef77 inet fw4 mangle_input verdict continue

trace id c02cef77 inet fw4 mangle_input policy accept

trace id c02cef77 inet fw4 input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54992 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xa1bb01200001000000000000

trace id c02cef77 inet fw4 input rule iifname "lo" accept comment "!fw4: Accept traffic from loopback" (verdict accept)

trace id c7a2e3aa inet fw4 trace_chain packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54993 ip protocol udp ip length 72 udp sport 38161 udp dport 53 udp length 52 @th,64,96 0x6ef01200001000000000000

trace id c7a2e3aa inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)

trace id c7a2e3aa inet fw4 trace_chain verdict continue

trace id c7a2e3aa inet fw4 trace_chain policy accept

trace id c7a2e3aa inet fw4 raw_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54993 ip protocol udp ip length 72 udp sport 38161 udp dport 53 udp length 52 @th,64,96 0x6ef01200001000000000000

trace id c7a2e3aa inet fw4 raw_prerouting verdict continue

trace id c7a2e3aa inet fw4 raw_prerouting policy accept

trace id c7a2e3aa inet fw4 mangle_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54993 ip protocol udp ip length 72 udp sport 38161 udp dport 53 udp length 52 @th,64,96 0x6ef01200001000000000000

trace id c7a2e3aa inet fw4 mangle_prerouting verdict continue

trace id c7a2e3aa inet fw4 mangle_prerouting policy accept

trace id c7a2e3aa inet fw4 prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54993 ip protocol udp ip length 72 udp sport 38161 udp dport 53 udp length 52 @th,64,96 0x6ef01200001000000000000

trace id c7a2e3aa inet fw4 prerouting verdict continue

trace id c7a2e3aa inet fw4 prerouting policy accept

trace id c7a2e3aa inet fw4 mangle_input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54993 ip protocol udp ip length 72 udp sport 38161 udp dport 53 udp length 52 @th,64,96 0x6ef01200001000000000000

trace id c7a2e3aa inet fw4 mangle_input verdict continue

trace id c7a2e3aa inet fw4 mangle_input policy accept

trace id c7a2e3aa inet fw4 input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54993 ip protocol udp ip length 72 udp sport 38161 udp dport 53 udp length 52 @th,64,96 0x6ef01200001000000000000

trace id c7a2e3aa inet fw4 input rule iifname "lo" accept comment "!fw4: Accept traffic from loopback" (verdict accept)

trace id 867d5365 inet fw4 trace_chain packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54994 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x618b01200001000000000000

trace id 867d5365 inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)

trace id 867d5365 inet fw4 trace_chain verdict continue

trace id 867d5365 inet fw4 trace_chain policy accept

trace id 867d5365 inet fw4 raw_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54994 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x618b01200001000000000000

trace id 867d5365 inet fw4 raw_prerouting verdict continue

trace id 867d5365 inet fw4 raw_prerouting policy accept

trace id 867d5365 inet fw4 mangle_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54994 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x618b01200001000000000000

trace id 867d5365 inet fw4 mangle_prerouting verdict continue

trace id 867d5365 inet fw4 mangle_prerouting policy accept

trace id 867d5365 inet fw4 prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54994 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x618b01200001000000000000

trace id 867d5365 inet fw4 prerouting verdict continue

trace id 867d5365 inet fw4 prerouting policy accept

trace id 867d5365 inet fw4 mangle_input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54994 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x618b01200001000000000000

trace id 867d5365 inet fw4 mangle_input verdict continue

trace id 867d5365 inet fw4 mangle_input policy accept

trace id 867d5365 inet fw4 input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54994 ip protocol udp ip length 73 udp sport 38161 udp dport 53 udp length 53 @th,64,96 0x618b01200001000000000000

trace id 867d5365 inet fw4 input rule iifname "lo" accept comment "!fw4: Accept traffic from loopback" (verdict accept)

trace id d4238eac inet fw4 trace_chain packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54995 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xba2501200001000000000000

trace id d4238eac inet fw4 trace_chain rule udp dport 53 meta nftrace set 1 (verdict continue)

trace id d4238eac inet fw4 trace_chain verdict continue

trace id d4238eac inet fw4 trace_chain policy accept

trace id d4238eac inet fw4 raw_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54995 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xba2501200001000000000000

trace id d4238eac inet fw4 raw_prerouting verdict continue

trace id d4238eac inet fw4 raw_prerouting policy accept

trace id d4238eac inet fw4 mangle_prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54995 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xba2501200001000000000000

trace id d4238eac inet fw4 mangle_prerouting verdict continue

trace id d4238eac inet fw4 mangle_prerouting policy accept

trace id d4238eac inet fw4 prerouting packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54995 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xba2501200001000000000000

trace id d4238eac inet fw4 prerouting verdict continue

trace id d4238eac inet fw4 prerouting policy accept

trace id d4238eac inet fw4 mangle_input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54995 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xba2501200001000000000000

trace id d4238eac inet fw4 mangle_input verdict continue

trace id d4238eac inet fw4 mangle_input policy accept

trace id d4238eac inet fw4 input packet: iif "lo" @ll,0,112 0x800 ip saddr 127.0.0.1 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 54995 ip protocol udp ip length 71 udp sport 38161 udp dport 53 udp length 51 @th,64,96 0xba2501200001000000000000

trace id d4238eac inet fw4 input rule iifname "lo" accept comment "!fw4: Accept traffic from loopback" (verdict accept)
swanctl --log 
08[NET] received packet: from 192.168.10.75[500] to 192.168.10.220[500] (604 bytes)
08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
08[IKE] 192.168.10.75 is initiating an IKE_SA
08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
08[NET] sending packet: from 192.168.10.220[500] to 192.168.10.75[500] (456 bytes)
06[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (512 bytes)
06[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
06[CFG] looking for peer configs matching 192.168.10.220[vpn.molvizar.net]...192.168.10.75[SolaresVPN]
06[CFG] selected peer config 'rw-eaptlsios'
06[IKE] initiating EAP_TLS method (id 0x0B)
06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
06[IKE] peer supports MOBIKE
06[IKE] authentication of 'vpn.molvizar.net' (myself) with RSA signature successful
06[IKE] sending end entity cert "C=ES, O=Molvizar, CN=vpn.molvizar.net"
06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/TLS ]
06[NET] sending packet: from 192.168.10.220[4500] to 192.168.10.75[4500] (1232 bytes)
12[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (240 bytes)
12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TLS ]
12[TLS] using key of type RSA
12[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
12[TLS] sending TLS server certificate 'C=ES, O=Molvizar, CN=vpn.molvizar.net'
12[TLS] sending TLS cert request for 'C=ES, O=Molvizar, CN=Molvizar'
12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TLS ]
12[NET] sending packet: from 192.168.10.220[4500] to 192.168.10.75[4500] (1104 bytes)
10[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (80 bytes)
10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TLS ]
10[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TLS ]
10[NET] sending packet: from 192.168.10.220[4500] to 192.168.10.75[4500] (448 bytes)
16[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (532 bytes)
16[ENC] parsed IKE_AUTH request 4 [ EF(1/3) ]
16[ENC] received fragment #1 of 3, waiting for complete IKE message
05[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (532 bytes)
05[ENC] parsed IKE_AUTH request 4 [ EF(2/3) ]
05[ENC] received fragment #2 of 3, waiting for complete IKE message
12[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (180 bytes)
12[ENC] parsed IKE_AUTH request 4 [ EF(3/3) ]
12[ENC] received fragment #3 of 3, reassembled fragmented IKE message (1104 bytes)
12[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TLS ]
12[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TLS ]
12[NET] sending packet: from 192.168.10.220[4500] to 192.168.10.75[4500] (80 bytes)
15[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (532 bytes)
15[ENC] parsed IKE_AUTH request 5 [ EF(1/3) ]
15[ENC] received fragment #1 of 3, waiting for complete IKE message
05[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (532 bytes)
05[ENC] parsed IKE_AUTH request 5 [ EF(2/3) ]
05[ENC] received fragment #2 of 3, waiting for complete IKE message
04[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (180 bytes)
04[ENC] parsed IKE_AUTH request 5 [ EF(3/3) ]
04[ENC] received fragment #3 of 3, reassembled fragmented IKE message (1104 bytes)
04[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TLS ]
04[TLS] received TLS peer certificate 'C=ES, O=Molvizar, CN=SolaresVPN'
04[TLS] received TLS intermediate certificate 'C=ES, O=Molvizar, CN=Molvizar'
04[CFG]   using trusted ca certificate "C=ES, O=Molvizar, CN=Molvizar"
04[CFG] checking certificate status of "C=ES, O=Molvizar, CN=SolaresVPN"
04[CFG] certificate status is not available
04[CFG]   reached self-signed root ca with a path length of 0
04[CFG]   using trusted certificate "C=ES, O=Molvizar, CN=SolaresVPN"
04[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TLS ]
04[NET] sending packet: from 192.168.10.220[4500] to 192.168.10.75[4500] (80 bytes)
16[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (128 bytes)
16[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TLS ]
16[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TLS ]
16[NET] sending packet: from 192.168.10.220[4500] to 192.168.10.75[4500] (144 bytes)
09[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (80 bytes)
09[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TLS ]
09[IKE] EAP method EAP_TLS succeeded, MSK established
09[ENC] generating IKE_AUTH response 7 [ EAP/SUCC ]
09[NET] sending packet: from 192.168.10.220[4500] to 192.168.10.75[4500] (80 bytes)
05[NET] received packet: from 192.168.10.75[4500] to 192.168.10.220[4500] (112 bytes)
05[ENC] parsed IKE_AUTH request 8 [ AUTH ]
05[IKE] authentication of 'SolaresVPN' with EAP successful
05[IKE] authentication of 'vpn.molvizar.net' (myself) with EAP
05[IKE] IKE_SA rw-eaptlsios[29] established between 192.168.10.220[vpn.molvizar.net]...192.168.10.75[SolaresVPN]
05[IKE] scheduling rekeying in 13929s
05[IKE] maximum IKE_SA lifetime 15369s
05[IKE] peer requested virtual IP %any
05[CFG] reassigning offline lease to 'SolaresVPN'
05[IKE] assigning virtual IP 192.168.3.2 to peer 'SolaresVPN'
05[IKE] peer requested virtual IP %any6
05[IKE] no virtual IP found for %any6 requested by 'SolaresVPN'
05[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
05[IKE] CHILD_SA ikev2clients{8} established with SPIs ced3c30e_i 048ab218_o and TS 192.168.2.0/24 192.168.3.0/28 === 192.168.3.2/32
05[ENC] generating IKE_AUTH response 8 [ AUTH CPRP(ADDR DNS DOMAIN DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
05[NET] sending packet: from 192.168.10.220[4500] to 192.168.10.75[4500] (352 bytes)
13

I haven't looked at all the configurations but l can point out a few common pitfalls with the overall structure of what you're trying to do.

When the terminus of the VPN is a lan device instead of the network's main router, there is a need for routing of "foreign" packets back into the lan device.
For example suppose a road warrior phone having a tunnel IP of 192.168.3.2 successfully launches a ping to 192.168.2.100 through the VPN tunnel. This packet, if you're not NATing in the VPN terminus, retains its source IP of 192.168.3.2, will leave the lan port of the PI and (usually) be answered by the PC. (Note that Windows firewall by default ignores pings, and it can also be configured to drop "foreign" private LAN ranges).
If the PC does reply to 192.168.3.2, it will send the packet via its default route (probably 192.168.2.1), as it doesn't know about the Pi or the 192.168.3.0 networ,k and considers 192.168.3.2 part of the Internet. So the 192.168.2.1 router needs to be configured to direct any packets that come in for 192.168.3.0/24 not to the Internet, but to whatever the Pi's IP on the 192.168.2.0 LAN.

First I see a problem because there will be conflicting routes to 192.168.2.0 inside the test machine. By the wan connection and also the VPN tunnel.
Also in a typical default setup of a home network, the house's public IP can't be reached from inside the LAN.
For those two reasons it's important to test VPNs under real conditions of a separate Internet connection for the road warrior.

14

Hi mk24

My lab doesn't have a raspberry. I only have the router connected to the LAN and a iMac on the router's LAN.

I currently don't have the other zones in the lab. Only WAN (DHCP), LAN and VPN in the Lab side.

The addresses are completely different between my HOME LAN, the one in the lab and the VPN.

HOME LAN: 192.168.10.0/24
Router LAN: 192.168.2.0/24
VPN: 192.168.3.0/28
Router LAN IP: 192.168.2.1
iMac IP: 192.169.2.100
bridge VPN: 192.168.3.1

My phone is connected to the home LAN by WIFI and it accesses the VPN perfectly. It is assigned an IP from the pool (192.168.3.2).

All traffic is redirected through the VPN. I can ping any IP from the above.

I don't know if this clears up the setup.

192.168.10.222 is the IP of the Router Lab WAN in my HOME LAN.

I can also surf the internet without any problems now.

image
image1284×2778 134 KB

image
image1240×2683 132 KB

On the other hand, with the configuration sent previously, after restarting the PC, I see two new devices that I don't know where they came from...

image
image966×102 11.5 KB

Thank you all.

15

Hi diego
Have you solved this problem? I have recently encountered the same problem. VPN clients can ping to connect to the LAN, but cannot ping to other internal network devices. I have adjusted the configuration to match the one you provided earlier, but it still does not work.

16

When i change my /etc/nftables.d/20-ipsec.nft file in this, it can working.

chain ipsec_chain {
     type nat hook postrouting priority -1;
     ip daddr 192.168.3.1/24 counter accept
}

chain forward {
     type filter hook forward priority 0;
     ip saddr 192.168.3.1 counter accept // i change the drop to accept
}
17

Hi cnzhuri

No. I couldn't get it, but I'd like to get it to work.

Could you send me your configuration to try again?

Thank you

18

hey @diego - in case you still need/it helps anyone who finds these threads through a search, i detailed the setup i just got working here.