Hi Masters!
I created a VPN server, it was configured and works fine. I have successfully connected with Mobile, PC, ... BUT if connected with OpenWRT in client mode the router becomes unreachable. Everything seems fine but nothing. 
(Can't access 192.168.1.1 and no internet)
I applied the firewall step but nothing: LINK
i want to create this: |Users|<--->|OpenWRT router|<--->|VPN Server| (Maybe Road-Warrior configuration)
if it is connected, I can only disconnect it from a remote VPN server (kick out): systemctl restart ipsec
OpenWRT Router:
Internal IP address: 192.168.1.0/24
VPN Server:
VPN pool(s) address:10.10.10.0/30
I'm starting to give up, what am I doing wrong, what other parameter must be specified?
Thank you!
Regards: DrCyberg
Here is the logs and settings:
[VPN Server]
/etc/ipsec.conf
config setup
charondebug="ike 2, knl 1, cfg 0"
>
>
>
conn ikev2-vpn-rsa
auto=start
closeaction=restart
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=restart
dpddelay=300s
rekey=no
left=193.188.xxx.xxx
leftid=vpn.something.net
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/30
rightdns=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1,9.9.9.9,149.112.112.112
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1-ecp256,aes256-sha1,3des-sha1
ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-67-generic, x86_64):
uptime: 21 hours, since Mar 08 18:48:07 2023
malloc: sbrk 2826240, mmap 0, used 1902400, free 923840
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Virtual IP pools (size/online/offline):
0.0.0.0/0: 2147483646/0/0
10.10.10.0/30: 2/1/0
Listening IP addresses:
193.188.xxx.xxx
2a09:7ac0::1:1ae0:611
Connections:
ikev2-vpn-psk: 193.188.xxx.xxx...%any IKEv2, dpddelay=300s
ikev2-vpn-psk: local: [vpn.something.net] uses pre-shared key authentication
ikev2-vpn-psk: remote: uses pre-shared key authentication
ikev2-vpn-psk: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=restart
ikev2-vpn-rsa: 193.188.xxx.xxx...%any IKEv2, dpddelay=300s
ikev2-vpn-rsa: local: [vpn.something.net] uses public key authentication
ikev2-vpn-rsa: cert: "CN=193.188.xxx.xxx"
ikev2-vpn-rsa: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-vpn-rsa: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
ikev2-vpn-rsa[9]: ESTABLISHED 7 seconds ago, 193.188.xxx.xxx[vpn.something.net]...79.122.xxx.xxx[drcyberg]
ikev2-vpn-rsa[9]: IKEv2 SPIs: 2dc53bda05ef2d6a_i 0080cd3b2951a74b_r*, rekeying disabled
ikev2-vpn-rsa[9]: IKE proposal: CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519
ikev2-vpn-rsa{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce0b4e58_i 1081f083_o
ikev2-vpn-rsa{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying disabled
ikev2-vpn-rsa{1}: 0.0.0.0/0 === 10.10.10.1/32
[OpenWrt Router]
/etc/ipsec.conf
config setup
strictcrlpolicy=no
uniqueids = no
>
>
>
conn cp-vpn
rightid=vpn.something.net
right=193.188.xxx.xxx
rightsubnet=0.0.0.0/0
leftsubnet=10.10.10.0/30
rightauth=pubkey
leftfirewall=yes
leftsourceip=%config
left=%defaultroute
leftid=drcyberg
leftauth=eap-mschapv2
eap_identity=%identity
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
mobike=yes
dpdaction=clear
dpddelay=300s
rekey=no
ipsec up cp-vpn
initiating IKE_SA cp-vpn[3] to 193.188.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.0.34[500] to 193.188.xxx.xxx[500] (1112 bytes)
received packet: from 193.188.xxx.xxx[500] to 192.168.0.34[500] (236 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519
local host is behind NAT, sending keep alives
remote host is behind NAT
sending cert request for "CN=SomeThing VPN root CA"
establishing CHILD_SA cp-vpn{3}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.0.34[4500] to 193.188.xxx.xxx[4500] (414 bytes)
received packet: from 193.188.xxx.xxx[4500] to 192.168.0.34[4500] (1248 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment [#1](https://github.com/strongswan/strongswan/pull/1) of 2, waiting for complete IKE message
received packet: from 193.188.xxx.xxx[4500] to 192.168.0.34[4500] (776 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment [#2](https://github.com/strongswan/strongswan/pull/2) of 2, reassembled fragmented IKE message (1959 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "CN=193.188.xxx.xxx"
using certificate "CN=193.188.xxx.xxx"
using trusted ca certificate "CN=SomeThing VPN root CA"
checking certificate status of "CN=193.188.xxx.xxx"
certificate status is not available
reached self-signed root ca with a path length of 0
authentication of 'vpn.something.net' with RSA_EMSA_PKCS1_SHA2_384 successful
server requested EAP_IDENTITY (id 0x00), sending 'drcyberg'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.0.34[4500] to 193.188.xxx.xxx[4500] (74 bytes)
received packet: from 193.188.xxx.xxx[4500] to 192.168.0.34[4500] (97 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0x18)
generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.0.34[4500] to 193.188.xxx.xxx[4500] (128 bytes)
received packet: from 193.188.xxx.xxx[4500] to 192.168.0.34[4500] (134 bytes)
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.0.34[4500] to 193.188.xxx.xxx[4500] (67 bytes)
received packet: from 193.188.xxx.xxx[4500] to 192.168.0.34[4500] (65 bytes)
parsed IKE_AUTH response 4 [ EAP/SUCC ]
EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of 'drcyberg' (myself) with EAP
generating IKE_AUTH request 5 [ AUTH ]
sending packet: from 192.168.0.34[4500] to 193.188.xxx.xxx[4500] (129 bytes)
received packet: from 193.188.xxx.xxx[4500] to 192.168.0.34[4500] (325 bytes)
parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS DNS DNS DNS DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]
authentication of 'vpn.something.net' with EAP successful
IKE_SA cp-vpn[3] established between 192.168.0.34[drcyberg]...193.188.xxx.xxx[vpn.something.net]
installing DNS server 8.8.8.8 to /etc/resolv.conf
installing DNS server 8.8.4.4 to /etc/resolv.conf
installing DNS server 1.1.1.1 to /etc/resolv.conf
installing DNS server 1.0.0.1 to /etc/resolv.conf
installing DNS server 9.9.9.9 to /etc/resolv.conf
installing DNS server 149.112.112.112 to /etc/resolv.conf
installing new virtual IP 10.10.10.1
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
It gets so far OpenWRT, then on VPN server side must add command systemctl restart ipsec and I take back control and after:
CHILD_SA cp-vpn{3} established with SPIs 1081f083_i ce0b4e58_o and TS 10.10.10.1/32 === 0.0.0.0/0
connection 'cp-vpn' established successfully