Hi, I'm using the new 18.06.0 and trying to get an IPsec site-to-site tunnel set up with an EdgeRouter Lite, but I seem to be having trouble getting the child SAs established.
The log on the OpenWRT side says:
Tue Jul 31 15:56:38 2018 authpriv.info ipsec: 08[IKE] initiating IKE_SA other-other_lan[3] to w.x.y.z
Tue Jul 31 15:56:38 2018 daemon.info ipsec: 08[IKE] initiating IKE_SA other-other_lan[3] to w.x.y.z
Tue Jul 31 15:56:40 2018 authpriv.info ipsec: 16[IKE] establishing CHILD_SA other-other_lan{4} reqid 1
Tue Jul 31 15:56:40 2018 daemon.info ipsec: 16[IKE] establishing CHILD_SA other-other_lan{4} reqid 1
And the log on the ER-Lite side says:
Jul 31 15:56:38 16[IKE] <3> a.b.c.d is initiating an IKE_SA
Not many details on what went wrong on either end, unfortunately But I think the ER-Lite is rejecting the phase 2 proposal.
/etc/config/ipsec on OpenWRT (BTW, I think https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/basic is out of date; some of the config option names don't seem to be used by /etc/init.d/ipsec, such as pfs_group and authentication_algorithm):
config 'ipsec'
list listen ''
option 'debug' '2'
config 'remote' 'other'
option 'enabled' '1'
option 'gateway' 'w.x.y.z'
option 'authentication_method' 'psk'
option 'pre_shared_key' 'my PSK'
option 'exchange_mode' 'aggressive'
option 'local_identifier' 'me'
list 'crypto_proposal' 'pre_g14_aes_sha1'
list 'tunnel' 'other_lan'
config 'crypto_proposal' 'pre_g14_aes_sha1'
option 'encryption_algorithm' 'aes128'
option 'hash_algorithm' 'sha1'
option 'dh_group' 'modp2048'
config 'tunnel' 'other_lan'
option 'local_subnet' '10.1.1.0/24'
option 'remote_subnet' '10.2.1.0/24'
option 'crypto_proposal' 'g14_aes_sha1'
config 'crypto_proposal' 'g14_aes_sha1'
option 'dh_group' 'modp2048'
option 'encryption_algorithm' 'aes128'
option 'hash_algorithm' 'sha1'
Which generated this /var/ipsec/ipsec.conf:
conn other-other_lan
left=%any
right=w.x.y.z
leftsubnet=10.1.1.0/24
ikelifetime=3h
lifetime=1h
margintime=9m
keyingtries=3
dpdaction=none
dpddelay=30s
leftauth=psk
rightauth=psk
rightsubnet=10.2.1.0/24
auto=route
leftid=me
keyexchange=ikev2
esp=aes128-sha1-modp2048
ike=aes128-sha1-modp2048
type=tunnel
/etc/ipsec.conf on the ER-Lite:
conn peer-a.b.c.d-tunnel-1
left=w.x.y.z
right=a.b.c.d
leftsubnet=10.2.1.0/24
rightsubnet=10.1.1.0/24
ike=aes128-sha1-modp2048!
keyexchange=ikev2
reauth=no
ikelifetime=28800s
esp=aes128-sha1-modp2048!
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
auto=route
keyingtries=%forever
The esp entry in both ipsec.conf files match, so it seems like the phase 2 proposal should be OK.
Any ideas? Or things I can do to enable more debug logging? I tried setting option 'debug' '2' already, but that didn't seem to change anything. (Despite the doc page saying "Logs are written to /var/log/charon.log", there's no file with that name).