OpenWrt uses the private IP address 192.168.43.25
. Could you get a public IP address (IPv4 or IPv6) for the OpenWrt router? This is optional, but it allows a more stable configuration. Even a single dynamic address would be an improvement.
The tunnel is up, but no traffic has been flowing yet. The traffic selectors 192.168.221.33/32 === 192.168.222.0/24
and the gateway address do not match your network diagram. Please fix the diagram or the configuration. Below I will assume that the diagram is correct.
On OpenWrt:
- Change the traffic selectors and gateway address in ipsec.conf:
Adjust the subnet masksleftsubnet=192.168.1.100/32 right=70.1.23.45 rightsubnet=10.10.10.0/24
/24
and/32
as needed. - Make sure that NAT is not applied to tunneled traffic. For a simple solution, add the following line to
/etc/firewall.user
(untested):iptables -t nat -A postrouting_wan_rule -m policy --dir out --pol ipsec --proto esp -j ACCEPT
- Update: Allow incoming IPsec-protected traffic to be forwarded:
More featureful solutions could be imagined too, for example a separate VPN zone in the OpenWrt firewall.iptables -A forwarding_rule -m policy --dir in --pol ipsec --proto esp -j ACCEPT
On the VPN Server:
- Change the traffic selectors to match OpenWrt.
- Disable Diffie-Hellman group 1 (768 bit), it is insecure.
- Disable DES, it is insecure.
- Disable 3DES (optional).
In your diagram, User is labelled with 10.10.10.0
. Is that an IP address or a subnet?
- In case of a subnet, it is missing the subnet mask.
- In case of an IP address: Don't assign the
.0
address to a host (assuming the subnet mask is/24
).
Furthermore, there are IP addresses 192.168.222.0 and 192.168.100.100. What is their purpose?
The traffic selectors specify the IP addresses of the hosts that want to communicate across the tunnel. A VPN gateway does not need to have an IP address from the traffic selector range unless you want it to take part in the tunneled communication.
I don't use uci or LuCI to set up strongSwan, maybe someone else can answer this.