I am building a custom Openwrt image (v22.03.3) for MT 7621. I want to establish Strongswan tunnel between two such device running the same image.
Everything was working fine (ipsec statusall showed packet increase) when using the strongswan-mod-kernel-libipsec package.
Now, I want to do the same but using strongswan-mod-kernel-netlink, i.e. I want the encryption/decryption to be performed by kernel. In this case, ipsec statusall on both gateways show established Child SA as follows:
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.10.161, mips):
uptime: 78 seconds, since Feb 02 21:25:43 2023
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem openssl af-alg fips-prf gmp xcbc hmac ctr curl attr kernel-netlink resolve socket-default socket-dynamic connmark stroke vici updown xauth-generic
Listening IP addresses:
10.10.10.3
192.168.2.1
fd4e:e10b:b65c::1
Connections:
abctun: 10.10.10.3...10.10.10.1 IKEv2
abctun: local: [10.10.10.3] uses pre-shared key authentication
abctun: remote: [10.10.10.1] uses pre-shared key authentication
abctun: child: 192.168.2.0/24 === 192.168.3.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
abctun[1]: ESTABLISHED 69 seconds ago, 10.10.10.3[10.10.10.3]...10.10.10.1[10.10.10.1]
abctun[1]: IKEv2 SPIs: 5a5e2353ec723319_i* a95d22351d78739a_r, pre-shared key reauthentication in 2 hours
abctun[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
abctun{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cfa27fe1_i c3f793c2_o
abctun{1}: AES_CTR_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
abctun{1}: 192.168.2.0/24 === 192.168.3.0/24
root@OpenWrt:~#
Here's my network interconnection:
In this setup, when I ping from either ubuntu machine to the other one, I get responses back, but these are being sent as plain traffic, and packet count in ipsec statusall remains 0 on both devices.
Ipsec.conf file on Left 7621 device:
config setup
charondebug=all
conn %default
conn abctun
left = 10.10.10.1
leftsubnet = 192.168.3.0/24
rightsubnet = 192.168.2.0/24
authby = secret
type = tunnel
keyexchange = ikev2
right = 10.10.10.3
ike = sha256-modp4096-aes128
auto = start
esp = sha256-modp4096-aes128ctr!
installpolicy = yes
Ipsec.conf file on Right 7621 device:
config setup
charondebug=all
conn %default
conn abctun
left = 10.10.10.3
leftsubnet = 192.168.2.0/24
right = 10.10.10.1
rightsubnet = 192.168.3.0/24
authby = secret
type = tunnel
keyexchange = ikev2
ike = sha256-modp4096-aes128
auto = start
esp = sha256-modp4096-aes128ctr!
installpolicy = yes
I have also tried sending files using scp, and speed testing using iperf3 on both end devices (Ubuntu machines.) Packets are getting transmitted as plain traffic in that case too!