Just upgraded from Lede to OpenWRT, ipsec interfaces gone

deadlock · September 13, 2020, 1:28pm

Hi

Just upgraded from Lede to OpenWRT, ipsec interfaces gone
I am using strongswan to connect to ipsec. In Lede I had an interface for each ipsec connection but now I no longer do.

The interfaces I have in Luci says Error: Network device is not present
Also if I run ifconfig -a they are not showing up.

VPN seem to work from the local network though, but I now do not know how to configure the firewall for example to give access to the vpn for different LAN machines since I have no interface to refer to in Luci.

Any ideas? I bet something updated so that I need to change some config?

Kind regards
Jens

eduperez · September 13, 2020, 2:22pm

Did you install all the relevant packages? The upgrade process only upgrades base.packages, not those installed afterwards.

deadlock · September 13, 2020, 2:38pm

Yes all required packages installed @eduperez and ipsec works, but the interface does not seem to match the ipsec interface that was there before. Since it sais Error; Network device not present.

I also think that this prevents the firewall zones to work. I noticed I cannot reach local addresses from servers in the VPN.

trendy · September 13, 2020, 2:58pm

Did you keep the settings when you upgraded from the 17 version to 19?

deadlock · September 13, 2020, 3:02pm

Yes I did @trendy

trendy · September 13, 2020, 3:04pm

This is not advised, as between major releases there are changes in the configuration files.
I would suggest to take a backup of the configuration, reset router to defaults, and then start configuring the device from scratch manually using the backup as a guide.

deadlock · September 13, 2020, 3:43pm

I understand @trendy but I have a lot of settings and most of it seem to work fine.

I would love to be able to fix my VPN interfaces instead if possible

Borromini · September 13, 2020, 3:57pm

Except this one which you are opening a topic for. So do the 'double blind' test please and try with a clean slate. You can back up your config and restore from there - copying your settings bit by bit, not by replacing your configuration files.

You'll spend way more time on finding out which bolt has gotten stuck screwed the wrong way than when you'd rebuild, configuration files next to your new setup for reference.

deadlock · September 13, 2020, 7:00pm

Actually none of the strongswan configs have changed. I have diffed every single file in /etc from a stock install and my install and everything looks correct to me. At least I do not see any difference from the stock install that I have not done myself. The exception is sysctl.conf where I have these lines and the stock install has it empty:

kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core

net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1

net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180

# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

What I am thinking is that something changed regarding setting up interfaces from Lede to OpenWRT 19.07.4. If I could find a modern goide on how to set up routed ipsec on OpenWRT 19.07 I am sure it would be easy to set this up, but I do not think installing OpenWRT from scratch will help me here since I have already reviewed all changes in /etc comparing to stock install.

Any ideas on what might have changed setting up strongswan on OpenWRT?
Maybe something changed in the StrongSwan version so that the interfaces are not created any more?

deadlock · September 13, 2020, 7:56pm

I now realised I am missing some packages from the old install, for example vti.
I installed vti but still it will not create the interfaces.

I realise this is probably more of a strongswan configuration issue than an upgrade issue. I think however something has changed in either openwrt or the strongswan version in the new releae.

deadlock · September 13, 2020, 9:09pm

Turned out I was also missing bash, and I had an up-down script that was running via bash.

So after installing bash everything is up and running again

eduperez · September 13, 2020, 9:18pm

If your problem is solved, please consider marking this topic as [Solved].
See How to mark a topic as [Solved] for a short how-to.

system · September 23, 2020, 9:18pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.