The wan interface is set up with masquerading (source NAT) by default. This affects both plaintext traffic to the internet and VPN traffic towards the remote LAN. When IPsec decides whether to pass through or to tunnel a packet, it compares the packet's source IP, destination IP, and optionally other header fields with its own configured policy. Masquerading changes the source IP, which causes a mismatch in this comparison, and the packet is not sent through the VPN.
You have to make sure the masquerading is not applied to VPN traffic. There may be more than one solution, here is my setup.
- add to all non-VPN zones (
wanandlanin your case):option extra_src '-m policy --dir in --pol none' option extra_dest '-m policy --dir out --pol none' - create a
vpnzone:config zone option name vpn option input ACCEPT option output ACCEPT option forward ACCEPT option subnet 10.2.1.0/24 option extra_src '-m policy --dir in --pol ipsec --proto esp' option extra_dest '-m policy --dir out --pol ipsec --proto esp' option mtu_fix 1
Adjust input/output/forward policy, and add forwardings or custom rules as needed.
These pass-through rules have no effect here, they are used when a machine in your LAN wants to act as a VPN gateway and receive VPN connection requests.
However, you should allow VPN traffic for the OpenWrt gateway itself:
config rule
option name Allow-IKE-input
option src wan
option proto udp
option dest_port '500 4500'
option target ACCEPT
config rule
option name Allow-ESP-input
option src wan
option proto esp
option target ACCEPT
These rules handle IKE and encrypted traffic, while the vpn zone above handles the traffic before encryption and after decryption. Both are necessary.