OpenWrt support for Quagga(OSPF), StrongSwan / IPSECv2/1, OpenVPN, Firewalld, SSH, DDNS, DNSMasquerade

Hi All,

I’m new to the latest OpenWRT firmware and trying to understand what it can and can't do.

Does OpenWRT firmware support the following functionality or feature set?

UI Interface
Quagga ( OSPF )
StrongSwan / IPSECv2/1
OpenVPN
Firewalld / Iptables
SSH
DDNS
DNSMasquerade

Is this something OpenWRT can currently support?


As an aside, is it possible to deploy OpenWRT on Raspberry PI 4 if not on standard wireless routers?

Thinking not but going to throw that out there.

Thx,

All of the above. Some, such as DNSMasq and SSH are essential parts of the base system. Others such as OpenVPN and Quagga are available as packages.

OpenWRT also works on all models of Raspberry PI.

3 Likes

Thank you.

Would you happen to have community forum links or wiki pages on configuring Quagga, StrongSwan, IPSEC and OpenVPN to reference?

I'm seeing mixed results on the community forums for OSPF and wondering if there is a success story I could begin with for the above four. Thinking the other items are built in so not a big issue.

Cheers,

OSPF and moreover Quagga doesn't have any OpenWrt specific configurations, so you can ask here or look in the Internet.
The rest are mentioned in the documentation.

2 Likes

Configured Quagga and OSPF successfully. All my VLAN's are visible from this RPi 2 unit now. I copied the config from DD-WRT routers I have.

However, as an OSPF router, it became the designated router due to path cost. Since the RPi 2 is now a DR, DNS queries in Windows are sent to the RPi 2. However, OpenWRT on this RPi2 isn't forwarding DNS requests as expected:

root@OWRT01:~#
root@OWRT01:~# ps |grep dns
15640 dnsmasq   1168 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01
15844 root      1072 S    grep dns
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# cat /var/etc/dnsmasq.conf.cfg01411c
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
localise-queries
read-ethers
enable-ubus
expand-hosts
bind-dynamic
domain=lan
server=/lan/
server=192.168.0.224
server=192.168.0.46
server=192.168.0.51
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq


dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf


bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
dhcp-range=set:lan,192.168.0.100,192.168.0.249,255.255.255.0,12h
dhcp-option=lan,6, 192.168.0.224, 192.168.0.46, 192.168.0.51



root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# ping vcsa01
ping: bad address 'vcsa01'
root@OWRT01:~#

The /etc/resolv.conf still shows localhost. I expect dnsmasq to forward the requests over. This isn't happening:

/etc/resolv.conf has only the router's settings:

root@OWRT01:~#
root@OWRT01:~# cat /etc/resolv.conf
search lan
nameserver 127.0.0.1
root@OWRT01:~#

Where do I change this so my internal LAN DNS servers are forwarded too? I could change the RPi 2 from a DR ( Designated Router ) to a backup but that would be sort of like cheating. I want the RPi 2 to forward DNS requests instead, in the event it stays or becomes a DR in the future.

Windows / Linux clients pick up the DR for name resolution:

C:\Users\guy>nslookup vcsa01.mds.xyz
Server:  OWRT01.lan
Address:  fdc8:29db:a9ed::1

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for vcsa01.mds.xyz

C:\Users\guy>

How could I do this? Resolving external addresses such as google.com works fine.

Cheers,
TK


OSPF Router Details

root@OWRT01:~# cat /etc/banner
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 19.07.3, r11063-85e04e9f46
 -----------------------------------------------------
root@OWRT01:~#
root@OWRT01:~# nc localhost 2604

Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.


User Access Verification

▒▒▒▒▒▒"▒▒Password: <PASS>

OWRT01> sh ip ospf neighbor
sh ip ospf neighbor

Neighbor ID     Pri State           Dead Time Address         Interface            RXmtL RqstL DBsmL
192.168.0.1       1 Full/DROther      36.674s 192.168.0.1     br-lan:192.168.0.12      1     0     0
192.168.0.3       1 Full/DROther      37.066s 192.168.0.3     br-lan:192.168.0.12      1     0     0
192.168.0.6       1 Full/DROther      39.139s 192.168.0.6     br-lan:192.168.0.12      0     0     0
192.168.0.7       1 Full/Backup       35.059s 192.168.0.7     br-lan:192.168.0.12      1     0     0
OWRT01> sh ip ospf route
sh ip ospf route
============ OSPF network routing table ============
N    10.0.0.0/24           [11] area: 0.0.0.0
                           via 192.168.0.1, br-lan
N    10.1.0.0/24           [11] area: 0.0.0.0
                           via 192.168.0.1, br-lan
N    10.2.0.0/24           [11] area: 0.0.0.0
                           via 192.168.0.1, br-lan
N    10.3.0.0/24           [11] area: 0.0.0.0
                           via 192.168.0.1, br-lan
N    192.168.0.0/24        [10] area: 0.0.0.0
                           directly attached to br-lan

============ OSPF router routing table =============
R    192.168.0.6           [10] area: 0.0.0.0, ASBR
                           via 192.168.0.6, br-lan

============ OSPF external routing table ===========
N E2 0.0.0.0/0             [10/10] tag: 0
                           via 192.168.0.6, br-lan
N E2 10.1.1.0/24           [10/20] tag: 0
                           via 192.168.0.6, br-lan
N E2 108.168.115.96/27     [10/20] tag: 0
                           via 192.168.0.6, br-lan
N E2 192.168.45.0/24       [10/20] tag: 0
                           via 192.168.0.6, br-lan
N E2 192.168.75.0/24       [10/20] tag: 0
                           via 192.168.0.6, br-lan

OWRT01>

Check from OpenWrt:

for HOST in 8.8.8.8 127.0.0.1 192.168.0.46 192.168.0.51 192.168.0.224; \
do echo ${HOST}; ping -w 3 ${HOST}; nslookup openwrt.org ${HOST}; done

Also, note that the option server is supposed to be used together with noresolv, otherwise it's typically better to configure upstream DNS provider.

1 Like

Managed to setup resolution on OpenWRT with your suggestions however the DNS Server (dnsmasq) still doesn't forward external resolution request back out on the network to my DNS servers.

Still doesn't want to forward, however. But admittedly, I'm not sure I fully understand your answer above.

My session so far:


root@OWRT01:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc8:29db:a9ed::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.0.12'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.0.6'
        list dns_search 'mws.mds.xyz nix.mds.xyz mds.xyz'
        list dns '192.168.0.224'
        list dns '192.168.0.46'
        list dns '192.168.0.51'

config route
        option target '192.168.0.1'
        option gateway '192.168.0.6'
        option netmask '255.255.255.0'
        option interface 'lan'

root@OWRT01:~#
root@OWRT01:~#

root@OWRT01:~# cat /etc/resolv.conf
# Interface lan
nameserver 192.168.0.224
nameserver 192.168.0.46
nameserver 192.168.0.51
search mws.mds.xyz nix.mds.xyz mds.xyz
root@OWRT01:~#

Still I'm a bit perplexed how it even manages to ping since nslookups fail:

root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# ping nfs01
PING nfs01 (192.168.0.149): 56 data bytes
64 bytes from 192.168.0.149: seq=0 ttl=64 time=0.656 ms
^C
--- nfs01 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.656/0.656/0.656 ms
root@OWRT01:~# nslookup nfs01 192.168.0.46
Server:         192.168.0.46
Address:        192.168.0.46#53

** server can't find nfs01: NXDOMAIN
** server can't find nfs01: NXDOMAIN
root@OWRT01:~# nslookup nfs01 192.168.0.51
Server:         192.168.0.51
Address:        192.168.0.51#53

** server can't find nfs01: NXDOMAIN
** server can't find nfs01: NXDOMAIN
root@OWRT01:~# nslookup nfs01 192.168.0.224
;; connection timed out; no servers could be reached

root@OWRT01:~#

History:

root@OWRT01:~# uci add_list dhcp.@dnsmasq[0].server="8.8.8.8"
root@OWRT01:~# uci add_list dhcp.@dnsmasq[0].server="127.0.0.1"
root@OWRT01:~# uci add_list dhcp.@dnsmasq[0].server="192.168.0.51"
root@OWRT01:~# uci add_list dhcp.@dnsmasq[0].server="192.168.0.46"
root@OWRT01:~# uci add_list dhcp.@dnsmasq[0].server="192.168.0.224"
root@OWRT01:~# uci commit dhcp

root@OWRT01:~# uci set dhcp.@dnsmasq[0].noresolv="1"
root@OWRT01:~# uci commit dhcp
root@OWRT01:~#

root@OWRT01:~#
root@OWRT01:~# uci add_list dhcp.@dnsmasq[0].server="/mds.xyz/192.168.0.224"
root@OWRT01:~# uci add_list dhcp.@dnsmasq[0].server="/nix.mds.xyz/192.168.0.46"
root@OWRT01:~# uci add_list dhcp.@dnsmasq[0].server="/mws.mds.xyz/192.168.0.51"
root@OWRT01:~# uci commit dhcp
root@OWRT01:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
root@OWRT01:~#

root@OWRT01:~# uci -q delete network.wan.dns
root@OWRT01:~# uci commit network
root@OWRT01:~# /etc/init.d/network restart &
root@OWRT01:~#


dnsmasq conf:

root@OWRT01:~# cat /var/etc/dnsmasq.conf.cfg01411c
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
no-resolv
localise-queries
read-ethers
enable-ubus
expand-hosts
bind-dynamic
domain=lan
server=/lan/
server=192.168.0.224
server=192.168.0.46
server=192.168.0.51
server=8.8.8.8
server=127.0.0.1
server=192.168.0.51
server=192.168.0.46
server=192.168.0.224
server=/mds.xyz/192.168.0.224
server=/nix.mds.xyz/192.168.0.46
server=/mws.mds.xyz/192.168.0.51
dhcp-leasefile=/tmp/dhcp.leases
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq


dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf


bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
dhcp-range=set:lan,192.168.0.100,192.168.0.249,255.255.255.0,12h
dhcp-option=lan,6, 192.168.0.224, 192.168.0.46, 192.168.0.51



root@OWRT01:~#

/etc/config/dhcp

root@OWRT01:~# vi /etc/config/dhcp
root@OWRT01:~# cat /etc/config/dhcp

config dnsmasq
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        list server '192.168.0.224'
        list server '192.168.0.46'
        list server '192.168.0.51'
        list server '8.8.8.8'
        list server '127.0.0.1'
        list server '192.168.0.51'
        list server '192.168.0.46'
        list server '192.168.0.224'
        list server '/mds.xyz/192.168.0.224'
        list server '/nix.mds.xyz/192.168.0.46'
        list server '/mws.mds.xyz/192.168.0.51'
        option localservice '0'
        option domain 'lan'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dhcp_option '6, 192.168.0.224, 192.168.0.46, 192.168.0.51'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OWRT01:~#

nslookups pick out the right DNS servers but fail to resolve:

root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# time nslookup nfs01
Server:         192.168.0.46
Address:        192.168.0.46#53

** server can't find nfs01: NXDOMAIN
** server can't find nfs01: NXDOMAIN
real    0m 5.00s
user    0m 0.00s
sys     0m 0.00s
root@OWRT01:~#

Testing short name resolution on OpenWrt is tricky:

  • nslookup does not autocomplete short names with search from /etc/resolv.conf, so it will not work if the questioned server does not resolve it.
  • ping takes only the first entry from the last search line, otherwise it is ignored.

These binaries are provided by BusyBox and their functionality is stripped for the sake of the binary size, in addition OpenWrt has no /etc/nsswitch.conf.

Also, your /etc/resolv.conf does not use Dnsmasq due to the option noresolv=1, and even if you use it, make sure to define the option domainneeded according to your needs.

Check short name resolution only when you make sure that full name resolution works fine.

1 Like

That's just it. When I ping a short name or an FQDN, it works. See above.

When I do an nslookup, it doesn't work, despite, apparently querying the correct DNS server. Can't recall I've seen a case where ping works for both but nslookup fails, despite finding the right DNS server.

Are you sure /etc/resolv.conf isn't getting used? I'm getting the impression that once I added all those settings, things worked since /etc/resolv.conf now looked more what I would expect. Things stop working resolving locally when any of those is missing from /etc/resolv.conf .

Short name resolution from above:

root@OWRT01:~# ping nfs01
PING nfs01 (192.168.0.149): 56 data bytes
64 bytes from 192.168.0.149: seq=0 ttl=64 time=0.656 ms

It's just when I try to use the OpenWRT RB Pi 2 as nslookup target that's when it fails to query the above DNS servers I listed:

root@OWRT01:~# time nslookup nfs01
Server:         192.168.0.46
Address:        192.168.0.46#53

** server can't find nfs01: NXDOMAIN
** server can't find nfs01: NXDOMAIN
real    0m 5.00s
user    0m 0.00s
sys     0m 0.00s
root@OWRT01:~#
/etc/resolv.conf
search mws.mds.xyz nix.mds.xyz mds.xyz
nameserver 192.168.0.224
nameserver 192.168.0.46
nameserver 192.168.0.51
.
.
.

If I understand your problem correctly, it should be something like this:

uci set dhcp.@dnsmasq[0].domainneeded="0"
uci set dhcp.@dnsmasq[0].expandhosts="1"
uci set dhcp.@dnsmasq[0].domain="mws.mds.xyz"
uci commit dhcp
/etc/init.d/dnsmasq restart

nslookup nfs01.mws.mds.xyz 127.0.0.1
nslookup nfs01 127.0.0.1

Wouldn't the above set the default domain of OpenWRT itself? Not quite what I'm after.

I need OpenWRT (127.0.0.1) to forward any DNS lookup requests it receives and can't resolve to forward to DNS servers responsible for mds.xyz (DNS1), mws.mds.xyz (DNS2) and nix.mds.xyz (DNS3).

Here's a visual representation of what I need. These DNS servers currently exists:


From within the OpenWRT RB Pi 2, present config allow resolution of both short and FQDN's of all three domains:

  1. Ping works for short and FQDN's
  2. nslookup works for FQDN's but not short.
root@OWRT01:~#
root@OWRT01:~# cat /etc/resolv.conf
# Interface lan
nameserver 192.168.0.224
nameserver 192.168.0.46
nameserver 192.168.0.51
search mws.mds.xyz nix.mds.xyz mds.xyz
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# ping nfs01
PING nfs01 (192.168.0.149): 56 data bytes
64 bytes from 192.168.0.149: seq=0 ttl=64 time=1.059 ms
^C
--- nfs01 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.059/1.059/1.059 ms
root@OWRT01:~# ping nfs01.nix.mds.xyz
PING nfs01.nix.mds.xyz (192.168.0.149): 56 data bytes
64 bytes from 192.168.0.149: seq=0 ttl=64 time=0.710 ms
64 bytes from 192.168.0.149: seq=1 ttl=64 time=0.843 ms
^C
--- nfs01.nix.mds.xyz ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.710/0.776/0.843 ms
root@OWRT01:~# ping cm-r01nn01
PING cm-r01nn01 (10.3.0.134): 56 data bytes
64 bytes from 10.3.0.134: seq=0 ttl=63 time=0.569 ms
^C
--- cm-r01nn01 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.569/0.569/0.569 ms
root@OWRT01:~# ping cm-r01nn01.mws.mds.xyz
PING cm-r01nn01.mws.mds.xyz (10.3.0.134): 56 data bytes
64 bytes from 10.3.0.134: seq=0 ttl=63 time=0.708 ms
64 bytes from 10.3.0.134: seq=1 ttl=63 time=0.637 ms
^C
--- cm-r01nn01.mws.mds.xyz ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.637/0.672/0.708 ms
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# nslookup nfs01
Server:         192.168.0.46
Address:        192.168.0.46#53

** server can't find nfs01: NXDOMAIN
** server can't find nfs01: NXDOMAIN
root@OWRT01:~# nslookup cm-r01nn01
Server:         192.168.0.46
Address:        192.168.0.46#53

** server can't find cm-r01nn01: NXDOMAIN
** server can't find cm-r01nn01: NXDOMAIN
root@OWRT01:~# nslookup nfs01.nix.mds.xyz
Server:         192.168.0.224
Address:        192.168.0.224#53

Name:      nfs01.nix.mds.xyz
Address 1: 192.168.0.149
*** Can't find nfs01.nix.mds.xyz: No answer
root@OWRT01:~# nslookup cm-r01nn01.mws.mds.xyz
Server:         192.168.0.224
Address:        192.168.0.224#53

Name:      cm-r01nn01.mws.mds.xyz
Address 1: 10.3.0.134
*** Can't find cm-r01nn01.mws.mds.xyz: No answer
root@OWRT01:~#

However, when trying to use the OpenWRT RB Pi 2 as a DNS forwarder, it doesn't work.

[root@host01 ~]# nslookup nfs01 192.168.0.12
Server:         192.168.0.12
Address:        192.168.0.12#53

*** Can't find nfs01: No answer

[root@host01 ~]# nslookup nfs01.nix.mds.xyz 192.168.0.12
Server:         192.168.0.12
Address:        192.168.0.12#53

*** Can't find nfs01.nix.mds.xyz: No answer

[root@host01 ~]# nslookup nfs01.nix.mds.xyz 192.168.0.46
Server:         192.168.0.46
Address:        192.168.0.46#53

Name:   nfs01.nix.mds.xyz
Address: 192.168.0.149

[root@host01 ~]#

[root@host01 ~]# nslookup nfs01 192.168.0.46
Server:         192.168.0.46
Address:        192.168.0.46#53

Name:   nfs01.nix.mds.xyz
Address: 192.168.0.149

[root@host01 ~]# nslookup nfs01 192.168.0.224
Server:         192.168.0.224
Address:        192.168.0.224#53

Non-authoritative answer:
Name:   nfs01.nix.mds.xyz
Address: 192.168.0.149

[root@host01 ~]#

Cheers,
TK

As far as I know, Dnsmasq requires FQDN to perform selective forwarding and it cannot expand plain names to multiple domains simultaneously.

Probably you should configure search domains on your clients.

Yeah, I had search domains defined. Didn't work initially. Left it overnight, then it started to work. (shrug)

Now I'm configuring IPSec and StrongSwan. No issue yet however did have a question in regards to copy-paste in vi on OpenWRT.

Anytime I paste, I get a sequence of dots or special characters where tabs were supposed to be:

Is there a way to deal with this besides removing them manually?

Cheers,

Copy-paste depends on:

  • The source encoding and special characters.
  • The source OS and DE behavior while copying and pasting.
  • The terminal emulator.
  • The destination program behavior.

E.g. it works fine for me with GNOME Terminal on Linux when pasting a UTF-8 text with tabs to vi/nano.

1 Like

DNS:

Changed the search order to:

mws.mds.xyz
nix.mds.xyz
mds.xyz
.

And now the resolution works ok from the client Win 10 laptop. Bit odd I had to change this to get it to work. Was fully functional with '.' placed at the top with the other routers. I may spend more time on this later to figure out why having a '.' at the top of the list fails to produce the same results.

I also changed the default GW from 192.168.0.6 to 192.168.0.1. .1 is my cisco router. .6 is the internet facing router. Thinking it might have been the GW more so then the search order that fixed it here. Again, can't say for sure. Will check later on.

Characters:

Checked I was set to UTF-8 earlier. I'll check the rest and get back.

Thanks again vgaetera. Appreciate the help on all these items.

Crawling along. The OpenWRT doesn't have the kmod-tun package. So ipsec fails to start:

root@OWRT01:~# opkg install kmod-sit kmod-iptunnel kmod-iptunnel4 kmod-iptunnel6 kmod-ipsec4
Package kmod-sit (4.14.180-1) installed in root is up to date.
Package kmod-iptunnel (4.14.180-1) installed in root is up to date.
Package kmod-iptunnel4 (4.14.180-1) installed in root is up to date.
Package kmod-iptunnel6 (4.14.180-1) installed in root is up to date.
Package kmod-ipsec4 (4.14.180-1) installed in root is up to date.
root@OWRT01:~#

Error logs from the remote log server:

Aug  8 17:00:58 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, armv7l)
Aug  8 17:00:58 OWRT01 : 00[CFG] PKCS11 module '<name>' lacks library path
Aug  8 17:00:59 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not supported, https:// disabled
Aug  8 17:00:59 OWRT01 : 00[CFG] disabling load-tester plugin, not configured
Aug  8 17:00:59 OWRT01 : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Aug  8 17:00:59 OWRT01 : 00[LIB] failed to open /dev/net/tun: No such file or directory
Aug  8 17:00:59 OWRT01 : 00[KNL] failed to create TUN device
Aug  8 17:00:59 OWRT01 : 00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create returned NULL
Aug  8 17:00:59 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found
Aug  8 17:00:59 OWRT01 : 00[KNL] unable to create IPv4 routing table rule
Aug  8 17:00:59 OWRT01 : 00[KNL] unable to create IPv6 routing table rule
Aug  8 17:00:59 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
Aug  8 17:00:59 OWRT01 : 00[NET] using forecast interface br-lan
Aug  8 17:00:59 OWRT01 : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Aug  8 17:00:59 OWRT01 : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug  8 17:00:59 OWRT01 : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug  8 17:00:59 OWRT01 : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug  8 17:00:59 OWRT01 : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug  8 17:00:59 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug  8 17:00:59 OWRT01 : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug  8 17:00:59 OWRT01 : 00[CFG]   loaded IKE secret for 100.100.100.100 123.123.123.123
Aug  8 17:00:59 OWRT01 : 00[CFG] sql plugin: database URI not set
Aug  8 17:00:59 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
Aug  8 17:00:59 OWRT01 : 00[CFG] HA config misses local/remote address
Aug  8 17:00:59 OWRT01 : 00[CFG] coupling file path unspecified
Aug  8 17:00:59 OWRT01 : 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default socket-dynamic connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Aug  8 17:00:59 OWRT01 : 00[JOB] spawning 16 worker threads
Aug  8 17:00:59 OWRT01 : 06[DMN] thread 6 received 11
Aug  8 17:00:59 OWRT01 : 06[LIB] no support for capturing backtraces
Aug  8 17:00:59 OWRT01 : 08[DMN] thread 8 received 11
Aug  8 17:00:59 OWRT01 : 08[LIB] no support for capturing backtraces
Aug  8 17:00:59 OWRT01 : 03[DMN] thread 3 received 11
Aug  8 17:00:59 OWRT01 : 08[DMN] killing ourself, received critical signal
root@OWRT01:~#
root@OWRT01:~# opkg install kmod-tun
Unknown package 'kmod-tun'.
Collected errors:
 * opkg_install_cmd: Cannot install package kmod-tun.
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# opkg files kmod-tun
Collected errors:
 * opkg_files_cmd: Package kmod-tun not installed.
root@OWRT01:~# 

How do I get kmod-tun repo installed on my OpenWPN?

Thx,
TK

Ok, so after a reboot I get this?

root@OWRT01:~#
root@OWRT01:~# opkg install kmod-tun
Installing kmod-tun (4.14.180-1) to root...
Downloading http://downloads.openwrt.org/releases/19.07.3/targets/brcm2708/bcm2709/kmods/4.14.180-1-2911c85b0fe34f5899879f41e832a894/kmod-tun_4.14.180-1_arm_cortex-a7_neon-vfpv4.ipk
Configuring kmod-tun.
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# opkg list | grep kmod-tun
kmod-tun - 4.14.180-1 - Kernel support for the TUN/TAP tunneling device
kmod-tun - 4.14.180-1 - Kernel support for the TUN/TAP tunneling device
root@OWRT01:~#

:man_facepalming:

The package repository data for OPKG is usually stored in /tmp/opkg-lists (in-memory). So opkg doesn't have any information about any new, available packages until you or some different process runs a "opkg update" to fetch the latest repo data. Until that happens, all it knows about is the current set of installed packages.

3 Likes

Where I am right now is trying to figure out why traffic isn't making it out of the IPSEC / StrongSwan server:

Referencing updated topology:

What I'm getting off the Raspberry PI 2:

Aug  9 17:03:57 OWRT01 : 13[IKE] giving up after 5 retransmits
Aug  9 17:03:57 OWRT01 : 13[IKE] peer not responding, trying again (2/3)
Aug  9 17:03:57 OWRT01 : 13[IKE] initiating IKE_SA AZURE[1] to 123.123.123.123
Aug  9 17:03:57 OWRT01 : 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug  9 17:03:57 OWRT01 : 13[NET] sending packet: from 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 17:03:57 OWRT01 : 04[NET] error writing to socket: Network unreachable
Aug  9 17:04:01 OWRT01 : 12[IKE] retransmit 1 of request with message ID 0
Aug  9 17:04:01 OWRT01 : 12[NET] sending packet: from 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 17:04:01 OWRT01 : 04[NET] error writing to socket: Network unreachable
Aug  9 17:04:04 OWRT01 : 00[DMN] signal of type SIGINT received. Shutting down
Aug  9 17:04:04 OWRT01 : 00[IKE] destroying IKE_SA in state CONNECTING without notification
Aug  9 17:04:04 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, armv7l)
Aug  9 17:04:06 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not supported, https:// disabled
Aug  9 17:04:06 OWRT01 : 00[CFG] disabling load-tester plugin, not configured
Aug  9 17:04:06 OWRT01 : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Aug  9 17:04:06 OWRT01 : 00[LIB] created TUN device: ipsec0
Aug  9 17:04:06 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found
Aug  9 17:04:06 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
Aug  9 17:04:06 OWRT01 : 00[NET] using forecast interface br-lan
Aug  9 17:04:06 OWRT01 : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Aug  9 17:04:06 OWRT01 : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug  9 17:04:06 OWRT01 : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug  9 17:04:06 OWRT01 : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug  9 17:04:06 OWRT01 : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug  9 17:04:06 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug  9 17:04:06 OWRT01 : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug  9 17:04:06 OWRT01 : 00[CFG]   loaded IKE secret for 100.100.100.100 123.123.123.123
Aug  9 17:04:06 OWRT01 : 00[CFG] sql plugin: database URI not set
Aug  9 17:04:06 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
Aug  9 17:04:06 OWRT01 : 00[CFG] HA config misses local/remote address
Aug  9 17:04:06 OWRT01 : 00[CFG] coupling file path unspecified
Aug  9 17:04:06 OWRT01 : 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default socket-dynamic connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Aug  9 17:04:06 OWRT01 : 00[JOB] spawning 16 worker threads
Aug  9 17:04:06 OWRT01 : 13[CFG] received stroke: add connection 'AZURE'
Aug  9 17:04:06 OWRT01 : 13[CFG] left nor right host is our side, assuming left=local
Aug  9 17:04:06 OWRT01 : 13[CFG] added configuration 'AZURE'
Aug  9 17:04:06 OWRT01 : 14[CFG] received stroke: initiate 'AZURE'
Aug  9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to 123.123.123.123
Aug  9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug  9 17:04:06 OWRT01 : 14[NET] sending packet: from 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network unreachable
Aug  9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message ID 0
Aug  9 17:04:10 OWRT01 : 14[NET] sending packet: from 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 17:04:10 OWRT01 : 04[NET] error writing to socket: Network unreachable
Aug  9 17:04:17 OWRT01 : 09[IKE] retransmit 2 of request with message ID 0
Aug  9 17:04:17 OWRT01 : 09[NET] sending packet: from 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 17:04:17 OWRT01 : 04[NET] error writing to socket: Network unreachable

I don't have a WAN on this RB Pi 2. Just a single LAN. On the Asus AC68U, I don't see any packets leaving or coming to/from Azure VPN Gateway IP 123.123.123.123 when IPSEC on the OpenWRT is attempting a connection out to the AZ VPN GW:

root@DD-WRT-INTERNET-ASUS:~# tcpdump -n dst 123.123.123,123 or src 123,123,123,123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes






root@DD-WRT-INTERNET-ASUS:~#

However, when I ping from the OpenWRT Raspberry PI 2 out to 123.123.123.123, I see the following off the DD-WRT:

root@DD-WRT-INTERNET-ASUS:~# tcpdump -n dst 123.123.123.123 or src 123.123.123.123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:03:31.877610 IP 192.168.0.12 > 123.123.123.123: ICMP echo request, id 62475, seq 0, length 64
17:03:32.877899 IP 192.168.0.12 > 123.123.123.123: ICMP echo request, id 62475, seq 1, length 64
17:03:33.878122 IP 192.168.0.12 > 123.123.123.123: ICMP echo request, id 62475, seq 2, length 64
17:03:34.878280 IP 192.168.0.12 > 123.123.123.123: ICMP echo request, id 62475, seq 3, length 64
17:03:35.878528 IP 192.168.0.12 > 123.123.123.123: ICMP echo request, id 62475, seq 4, length 64

So that's telling me traffic isn't really making it out at all. The Raspberry PI 2 doesn't have a WAN, just one LAN port, of course. I have a few NAT rules on the DD-WRT below. But that's irrelevant at this point since traffic isn't even getting sent out let alone returning anything:

# ----------------------
# Azure - Microsoft Azure Cloud: VPN Gateway
# ----------------------
iptables -I FORWARD -s 10.10.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -I INPUT -p icmp -s 10.10.0.0/24 -d 192.168.0.1/32 -j ACCEPT

# TCP
iptables -t nat -I PREROUTING -s 123.123.123.123 -p tcp --dport 500 -j DNAT --to 192.168.0.12:500
iptables -I FORWARD -p tcp -d 192.168.0.12 --dport 500 -j ACCEPT

iptables -t nat -I PREROUTING -s 123.123.123.123 -p tcp --dport 4500 -j DNAT --to 192.168.0.12:4500
iptables -I FORWARD -p tcp -d 192.168.0.12 --dport 4500 -j ACCEPT

# UDP
iptables -t nat -I PREROUTING -s 123.123.123.123 -p udp --dport 500 -j DNAT --to 192.168.0.12:500
iptables -I FORWARD -p udp -d 192.168.0.12 --dport 500 -j ACCEPT

iptables -t nat -I PREROUTING -s 123.123.123.123 -p udp --dport 4500 -j DNAT --to 192.168.0.12:4500
iptables -I FORWARD -p udp -d 192.168.0.12 --dport 4500 -j ACCEPT

# SHH: NAT Test Only
iptables -t nat -I PREROUTING -p tcp --dport 4522 -j DNAT --to 192.168.0.12:22
iptables -I FORWARD -p tcp -d 192.168.0.12 --dport 22 -j ACCEPT

Relevant configuration:


root@OWRT01:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

conn AZURE
        authby=secret
        auto=start
        type=tunnel
        keyexchange=ikev2
        keylife=3600s
        ikelifetime=28800s
        left=100.100.100.100
        leftsubnets={ 192.168.0.0/24, 10.0.0.0/24, 10.1.0.0/24, 10.2.0.0/24, 10.3.0.0/24, }  # Network subnet located on-premises
        # leftnexthop=%defaultroute
        right=123.123.123.123
        rightsubnets={ 10.10.0.0/24, 10.20.0.0/24, 10.30.0.0/24, 10.40.0.0/24, 10.50.0.0/24, }  #  Azure network subnet defined in cloud
        ike=aes256-sha1-modp1024
        esp=aes256-sha1

root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
# Verbosity levels
# -1: Absolutely silent
# 0: Very basic auditing logs, (e.g. SA up/SA down)
# 1: Generic control flow with errors, a good default to see whats going on
# 2: More detailed debugging control flow
# 3: Including RAW data dumps in Hex
# 4: Also include sensitive material in dumps, e.g. keys
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        filelog {
                charon {
                        path = /var/log/charon.log
                        time_format = %b %e %T
                        append = no
                        default = 0 # in case troubleshoot is required switch this to 2
                }
                stderr {
                        ike = 0 # in case troubleshoot is required switch this to 2
                        knl = 0 # in case troubleshoot is required switch this to 3
                        ike_name = yes
                }
        }
        syslog {
                # enable logging to LOG_DAEMON, use defaults
                daemon {
                }
                # minimalistic IKE auditing logging to LOG_AUTHPRIV
                auth {
                        default = 0 # in case troubleshoot is required switch this to 2
                        ike = 0 # in case troubleshoot is required switch this to 2
                }
        }
}
include strongswan.d/*.conf
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
100.100.100.100 123.123.123.123 : PSK "PressEnter"
root@OWRT01:~#

Tcpdump on OpenWRT:

root@OWRT01:~#
root@OWRT01:~# tcpdump -i ipsec0 -n dst 123.123.123.123 or src 123.123.123.123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type RAW (Raw IP), capture size 262144 bytes
tcpdump: pcap_loop: The interface went down
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@OWRT01:~# tcpdump -i ipsec0 -n dst 123.123.123.123 or src 123.123.123.123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type RAW (Raw IP), capture size 262144 bytes




^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@OWRT01:~# tcpdump -i br-lan -n dst 123.123.123.123 or src 123.123.123.123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
4 packets received by filter
0 packets dropped by kernel
root@OWRT01:~#


root@OWRT01:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether b8:27:eb:1c:55:8d brd ff:ff:ff:ff:ff:ff
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether b8:27:eb:1c:55:8d brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.12/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdc8:29db:a9ed::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::ba27:ebff:fe1c:558d/64 scope link
       valid_lft forever preferred_lft forever
7: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet6 fe80::d5de:6ac0:c375:534e/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
root@OWRT01:~#

On a side note IRT the opkg command, you're totally correct @ergamus . Needed to run opkg update first.

root@OWRT01:~# service ipsec restart
root@OWRT01:~# opkg install tcpdump
Unknown package 'tcpdump'.
Collected errors:
 * opkg_install_cmd: Cannot install package tcpdump.
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# opkg update
Downloading http://downloads.openwrt.org/releases/19.07.3/targets/brcm2708/bcm2709/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading http://downloads.openwrt.org/releases/19.07.3/targets/brcm2708/bcm2709/packages/Packages.sig
Signature check passed.
.
.
.
.
root@OWRT01:~#
root@OWRT01:~# opkg install tcpdump
Installing tcpdump (4.9.3-1) to root...
Downloading http://downloads.openwrt.org/releases/19.07.3/packages/arm_cortex-a7_neon-vfpv4/base/tcpdump_4.9.3-1_arm_cortex-a7_neon-vfpv4.ipk
Configuring tcpdump.
root@OWRT01:~#

Thank you,

This is interesting. I've changed the ipsec.conf config as follows:

#       left=100.100.100.100
        left=192.168.0.12

This makes sense since 100.100.100.100 isn't reachable from the RB Pi 2 behind the Internet router. So the messages are now:


Aug  9 23:22:40 OWRT01 : 00[DMN] signal of type SIGINT received. Shutting down
Aug  9 23:22:40 OWRT01 : 00[IKE] destroying IKE_SA in state CONNECTING without notification
Aug  9 23:22:41 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, armv7l)
Aug  9 23:22:41 OWRT01 : 00[CFG] PKCS11 module '<name>' lacks library path
Aug  9 23:22:42 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not supported, https:// disabled
Aug  9 23:22:42 OWRT01 : 00[CFG] disabling load-tester plugin, not configured
Aug  9 23:22:42 OWRT01 : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Aug  9 23:22:42 OWRT01 : 00[LIB] created TUN device: ipsec0
Aug  9 23:22:42 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found
Aug  9 23:22:42 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
Aug  9 23:22:42 OWRT01 : 00[NET] using forecast interface br-lan
Aug  9 23:22:42 OWRT01 : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Aug  9 23:22:42 OWRT01 : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug  9 23:22:42 OWRT01 : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug  9 23:22:42 OWRT01 : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug  9 23:22:42 OWRT01 : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug  9 23:22:42 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug  9 23:22:42 OWRT01 : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug  9 23:22:42 OWRT01 : 00[CFG]   loaded IKE secret for 100.100.100.100 123.123.123.123
Aug  9 23:22:42 OWRT01 : 00[CFG] sql plugin: database URI not set
Aug  9 23:22:42 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
Aug  9 23:22:42 OWRT01 : 00[CFG] HA config misses local/remote address
Aug  9 23:22:42 OWRT01 : 00[CFG] coupling file path unspecified
Aug  9 23:22:42 OWRT01 : 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default socket-dynamic connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Aug  9 23:22:42 OWRT01 : 00[JOB] spawning 16 worker threads
Aug  9 23:22:42 OWRT01 : 10[CFG] received stroke: add connection 'AZURE'
Aug  9 23:22:42 OWRT01 : 10[CFG] added configuration 'AZURE'
Aug  9 23:22:42 OWRT01 : 13[CFG] received stroke: initiate 'AZURE'
Aug  9 23:22:42 OWRT01 : 13[IKE] initiating IKE_SA AZURE[1] to 123.123.123.123
Aug  9 23:22:42 OWRT01 : 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug  9 23:22:42 OWRT01 : 13[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:22:46 OWRT01 : 15[IKE] retransmit 1 of request with message ID 0
Aug  9 23:22:46 OWRT01 : 15[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:22:53 OWRT01 : 14[IKE] retransmit 2 of request with message ID 0
Aug  9 23:22:53 OWRT01 : 14[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:23:06 OWRT01 : 13[IKE] retransmit 3 of request with message ID 0
Aug  9 23:23:06 OWRT01 : 13[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:23:18 OWRT01 kernel: [18475.234728] device ipsec0 entered promiscuous mode
Aug  9 23:23:30 OWRT01 : 13[IKE] retransmit 4 of request with message ID 0
Aug  9 23:23:30 OWRT01 : 13[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:23:39 OWRT01 kernel: [18496.576740] device ipsec0 left promiscuous mode
Aug  9 23:23:53 OWRT01 kernel: [18510.514532] device ipsec0 entered promiscuous mode
Aug  9 23:24:12 OWRT01 : 11[IKE] retransmit 5 of request with message ID 0
Aug  9 23:24:12 OWRT01 : 11[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:25:27 OWRT01 : 15[IKE] giving up after 5 retransmits
Aug  9 23:25:27 OWRT01 : 15[IKE] peer not responding, trying again (2/3)
Aug  9 23:25:27 OWRT01 : 15[IKE] initiating IKE_SA AZURE[1] to 123.123.123.123
Aug  9 23:25:27 OWRT01 : 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug  9 23:25:27 OWRT01 : 15[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:25:31 OWRT01 : 12[IKE] retransmit 1 of request with message ID 0
Aug  9 23:25:31 OWRT01 : 12[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:25:39 OWRT01 : 15[IKE] retransmit 2 of request with message ID 0
Aug  9 23:25:39 OWRT01 : 15[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:25:52 OWRT01 : 11[IKE] retransmit 3 of request with message ID 0
Aug  9 23:25:52 OWRT01 : 11[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:26:15 OWRT01 : 15[IKE] retransmit 4 of request with message ID 0
Aug  9 23:26:15 OWRT01 : 15[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:26:39 OWRT01 kernel: [18676.217284] device ipsec0 left promiscuous mode
Aug  9 23:26:43 OWRT01 kernel: [18680.233669] device br-lan entered promiscuous mode
Aug  9 23:26:47 OWRT01 kernel: [18684.457175] device br-lan left promiscuous mode
Aug  9 23:26:57 OWRT01 : 12[IKE] retransmit 5 of request with message ID 0
Aug  9 23:26:57 OWRT01 : 12[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:27:06 OWRT01 kernel: [18703.953629] device br-lan entered promiscuous mode
Aug  9 23:28:12 OWRT01 : 11[IKE] giving up after 5 retransmits
Aug  9 23:28:12 OWRT01 : 11[IKE] peer not responding, trying again (3/3)
Aug  9 23:28:12 OWRT01 : 11[IKE] initiating IKE_SA AZURE[1] to 123.123.123.123
Aug  9 23:28:12 OWRT01 : 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug  9 23:28:12 OWRT01 : 11[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:28:16 OWRT01 : 12[IKE] retransmit 1 of request with message ID 0
Aug  9 23:28:16 OWRT01 : 12[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:28:24 OWRT01 : 12[IKE] retransmit 2 of request with message ID 0
Aug  9 23:28:24 OWRT01 : 12[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:28:37 OWRT01 : 15[IKE] retransmit 3 of request with message ID 0
Aug  9 23:28:37 OWRT01 : 15[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:29:00 OWRT01 : 15[IKE] retransmit 4 of request with message ID 0
Aug  9 23:29:00 OWRT01 : 15[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 23:29:12 OWRT01 kernel: [18829.975624] device br-lan left promiscuous mode

The internet facing router now sees traffic as well:

root@DD-WRT-INTERNET-ASUS:~# tcpdump -n src 123.123.123.123 or dst 123.123.123.123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:25:27.849574 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:25:31.850626 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:25:39.051294 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:25:52.011529 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:26:15.340250 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:26:57.330345 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:28:12.916861 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:28:16.917727 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:28:24.118482 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:28:37.078736 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:29:00.407189 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:29:42.397775 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:39:52.200284 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:39:56.200808 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
23:40:03.401357 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]