Problem with IPsec strongSwan after upgrade from 19.07.8 to 21.02.1


I have two ACM32000 routers that I have an IPSEC Strongswan tunnel between them. It worked well when I had version 19.07.8 but when I upgraded one router to 21.02.1 I did not get the tunnel up.

It was some small problems to upgrade the router to 21.02.1 so I did a new installation because it can always be good to clean the installation. Has done clean installation before and has previously managed to get the VPN tunnel up.

I get this message:

root@OpenWrt:/etc# ipsec status
Shunted Connections:
passthrough0: === PASS
Security Associations (1 up, 0 connecting):
     Test_71[1]: ESTABLISHED 2 hours ago,[][]

There were some changes in the configuration between version 19 and 21 and I had to change the following in / etc / config / networks

OpenWrt version 19

config interface 'ipsec'
        option ifname 'ipsec0'
        option proto 'none'
        option defaultroute '0'
        option peerdns '0'
        option ipv6 '0'

OpenWrt version 21

config interface 'ipsec'
        option device 'ipsec0'
        option proto 'none'
        option defaultroute '0'
        option peerdns '0'
        option ipv6 '0'

Here is my config of VPN Zone in /etc/config/firewall and I have same config

config zone
        option name             'vpn'
        list network            'ipsec'
        option input            'ACCEPT'
        option output           'ACCEPT'
        option forward          'ACCEPT'
        option masq             '1'
        option mtu_fix          '1'

config forwarding
        option src              'vpn'
        option dest             'lan'

config forwarding
        option src              'lan'
        option dest             'vpn'

I think I missed some small detail somewhere in the configuration but I can not find it.

Best Regards

I do also have problems with my ipsec tunnel. Connection is established, but no connection. Also went from 19.07 to 21.02.1.

One thing that might have changed is the "config forwarding" went to "config redirect".

Did you figure this out?