OpenWrt dynamic vpn to juniper

I am replacing an mikrotik travelrouter with a raspberry pi 4 with openvpn.

the configuration with travelmate is fine. however i want to have a ipsec tunnel to home.
i found a manual here about strongswan to a juniper.
however this use main mode which require 2 static ip's
as you can understand. this isn't an option.

is there anybody who user aggressive mode?

information.
home network primary subnet 172.16.20.0/24
Travelrouter primary subnet 172.16.32.0/24

this is the minimal needed traffic.
however it would be nice to use ospf (however i know that there are a lot of brands who don's support this over ipsec) or an option to add secondary subnets to the tunnel.

as bonus question.
it would be nice to have a single device (or subnet.... we have plenty of subnets to choose from) that route all traffic over the tunnel. so i can watch local television when outside the country.

Look into the openconnect package. This software has a Juniper client emulation mode. I have not tried it in that mode, but it sounds like it should pull settings from your Juniper appliance and set up ipsec tunnels as directed.

the openconnect package is for client vpn. i am looking for an site2site vpn.

tried to follow https://openwrt.org/docs/guide-user/services/vpn/strongswan/basics and https://openwrt.org/docs/guide-user/services/vpn/strongswan/site2site
however didn't got any succses

opkg_install_cmd: Cannot install package djbdns-tools.

since i am not that intrested in advanced dns functionality i guess i can ignored that.

after that the init.d script failed on aes. but found that this is an bug in the script. (https://blog.artwolf.in/a?ID=7d7a776d-dfaa-427b-9ee8-af0eee1502aa)

so created the /etc/configuration/ipsec file. as requested
not sure if the ... need at the end of the file?
after starting i got
invalid config file '/etc/strongswan.conf'

i can't find anywhere what the file should look like since it should remaind default (as fas as i understand) so if anyone has a working example....

# generated by /etc/init.d/ipsec
charon {
  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
  filelog {
    /var/log/charon.log {
      time_format = %b %e %T
      ike_name = yes
      append = no
      default =  0
      flush_line = yes
    }
  }
}

So to prevent garbage. i re-installed the router.
found out that the config file from the second link doesn't match the default of strongswan at all. so not sure what is is. but it isn't usable at all.
but still not able to setup an dynamic ipsec tunnel.
is there nobody using openwrt with a dynamic vpn?

I ran into the same problem with my project involving a Palo Alto GlobalProtect. Either PAN-OS or openconnect limits the potential network on the client end to a single host, not a site to site.

So I went to IPSec, which as you noted is not simple. I'm using the swanctl program which is included in strongswan-default. The old "starter" program named ipsec is deprecated.

Install these packages: strongswan-default strongswan-mod-openssl kmod-crypto-sha256 kmod-crypto-gcm xfrm You may need additional crypto kmods if you set up a different crypto proposal than this example.

Configuration involves several files, the primary one being /etc/config/ipsec (that's right, not /etc/config/swanctl, as that would make too much sense). Unlike most packages, a skeleton config file is not included, so enter this /etc/config/ipsec from scratch:

config ipsec
	list listen 'wan'
	option debug '1'

config remote 'campus'
	option enabled '1'
# Other IP, use "any" to accept connections from dynamic.
	option gateway '192.0.0.5'
# Identifiers must match either the DN or a SAN(fqdn) of the certificate.  Not the CN.
	option local_identifier '<REDACTED>.edu'
	option remote_identifier '<REDACTED>.edu'
 	option fragmentation '1'
	option authentication_method 'pubkey'
	option rekeytime '4h'
	option keyingtries '0'
 	option mobike 0
	option dpddelay '60'
	list crypto_proposal 'suite_b_cbc_256'
	list tunnel 'tun_campus'

config tunnel 'tun_campus'
	option keyexchange 'ikev2'
	list local_subnet '0.0.0.0/0'
	list remote_subnet '0.0.0.0/0'
	option if_id '301'
	option updown '/etc/swanctl/setroutes.sh xfrm0'
	option rekeytime '1h'
	option startaction 'start'
	option closeaction 'none'
	option dpdaction 'start'
	list crypto_proposal 'suite_b_cbc_256'	
 
config crypto_proposal 'suite_b_cbc_256'
	option encryption_algorithm 'aes256'
	option hash_algorithm 'sha256'
# ecp384 aka group 20.
	option dh_group 'ecp384'

Here I'm using the same encryption suite for both IKE and traffic. The other side must be configured to use matching methods.
Certificate authentication is used here. For testing, you could start with preshared key. I think the configuration for that is authentication_method 'psk' and pre_shared_key 'secretkey'. If you use certificates, generate them externally (e.g. on your firewall appliance) and copy them to the following locations:
System CA: /etc/swanctl/x509ca
Client certificate: /etc/swanctl/x509
Client certificate private key (if EC): /etc/swanctl/ecdsa
Encrypted private keys are not supported. Decrypt the key and store it in a file with extension .key.

The latest and greatest way to do IPSec is apparently an xfrm interface, which is supported by UCI with the package xfrm.
In /etc/config/network, add:

config interface 'xfrm0'
        option ifid '301'
        option tunlink 'wan'
        option mtu '1438'
        option proto 'xfrm'

config interface 'xfrm0_s'
        option ifname '@xfrm0'
        option proto 'static'
        option ipaddr '10.0.0.10/32'

The second part which assigns an IP address to this end of the tunnel is optional, but highly advisable so you can test the link by pinging from the other side.

In this setup I'm routing all traffic (except DNS, not sure about that yet) through the tunnel. That requires a script which is not included, so I wrote this as setuproutes.sh:

# Simplified updown script for StrongSwan which installs routes to direct
# all IPv4 into the VPN tunnel.
# For xfrm interfaces, swanctl only knows the ID number, not the ifname.
#  Therefore the ifname is passed in on the command line.
#  (PLUTO_IF_ID_OUT is the number, there would be some way to look it up.)
OUT_INTERFACE=$1

VPN_LOGGING=1
TAG=vpn-$PLUTO_INTERFACE
FAC_PRIO=local0.notice

# Get the ISP default gateway from existing routing table
DEFAULT_GATEWAY=$(route -n | awk '$1=="0.0.0.0" && $3=="0.0.0.0" {print $2}')
if [ $VPN_LOGGING ]
	then
	logger -t $TAG -p $FAC_PRIO "default gateway is $DEFAULT_GATEWAY"
fi

case $PLUTO_VERB in 
	up-client)
		if [ $VPN_LOGGING ]
		then
			logger -t $TAG -p $FAC_PRIO "installing IP4 forward all to $OUT_INTERFACE IPSec to $PLUTO_PEER"
		fi
		ip route add $PLUTO_PEER via $DEFAULT_GATEWAY
		ip route add 0.0.0.0/1 dev $OUT_INTERFACE
		ip route add 128.0.0.0/1 dev $OUT_INTERFACE
		;;
	down-client)
		if [ $VPN_LOGGING ]
		then
			logger -t $TAG -p $FAC_PRIO "removing IP4 forward all to $OUT_INTERFACE IPSec to $PLUTO_PEER"
		fi
		ip route del $PLUTO_PEER via $DEFAULT_GATEWAY
		ip route del 0.0.0.0/1 dev $OUT_INTERFACE
		ip route del 128.0.0.0/1 dev $OUT_INTERFACE
		;;
esac

Of course the usual firewall considerations of any VPN apply. The xfrm interface is a standard layer 3 tunnel.