Strongswan IPSEC tunnel UP , but can not ping from node to node

I'm trying to build ipsec tunnel with strongswan in openwrt 19.07.3 in lab.

here are the information
node A
wanIP: 192.168.11.40/24
WANGW: 192.168.11.253
LANIP: 192.168.14.254/24

node B
wanIP: 192.168.11.50/24
WANGW: 192.168.11.253
LANIP: 192.168.15.254/24

node A config files

/etc/ipsec.conf

config setup
    # strictcrlpolicy=yes
    # uniqueids = no
    uniqueids=never

conn 14-15
        authby=secret
        left=192.168.11.40
        leftsubnet=192.168.14.0/255.255.255.0
#       leftnexthop=192.168.11.253  #deprecated keyword
        right=192.168.11.50
        rightsubnet=192.168.15.0/255.255.255.0
#       rightnexthop=192.168.11.253  #deprecated keyword
        auto=start

/etc/ipsec.secrets

192.168.11.40 192.168.11.50 : PSK "whateverpasswordyouwant"

/etc/firewall.user

### IPSec VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
iptables -I POSTROUTING 1 -s 192.168.14.0/24 -j MASQUERADE -t nat
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT

node B config files
/etc/ipsec.conf

config setup
    # strictcrlpolicy=yes
    # uniqueids = no
    uniqueids=never

conn 14-15
        authby=secret
        left=192.168.11.50
        leftsubnet=192.168.15.0/255.255.255.0 
#        leftnexthop=192.168.11.253 #deprecated keyword
        right=192.168.11.40
        rightsubnet=192.168.15.0/255.255.255.0
#        rightnexthop=192.168.11.253  #deprecated keyword
        auto=start

/etc/ipsec.secrets

192.168.11.50 192.168.11.40 : PSK "whateverpasswordyouwant"

/etc/firewall.user

### IPSec VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
iptables -I POSTROUTING 1 -s 192.168.15.0/24 -j MASQUERADE -t nat
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT

now , the tunnel is up
node A ipsec status

Security Associations (1 up, 0 connecting):
       14-15[1]: ESTABLISHED 4 minutes ago, 192.168.11.40[192.168.11.40]...192.168.11.50[192.168.11.50]

ipsec statusall

Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, mips):
  uptime: 5 minutes, since Jul 09 16:22:34 2020
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
  192.168.14.254
  192.168.11.40
Connections:
       14-15:  192.168.11.40...192.168.11.50  IKEv1/2
       14-15:   local:  [192.168.11.40] uses pre-shared key authentication
       14-15:   remote: [192.168.11.50] uses pre-shared key authentication
       14-15:   child:  192.168.14.0/32 === 192.168.15.0/32 TUNNEL
Security Associations (1 up, 0 connecting):
       14-15[1]: ESTABLISHED 5 minutes ago, 192.168.11.40[192.168.11.40]...192.168.11.50[192.168.11.50]
       14-15[1]: IKEv2 SPIs: a2909fe5c4e80a81_i* 4a87d965367a165a_r, pre-shared key reauthentication in 2 hours
       14-15[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072

node B ipsec status

Security Associations (1 up, 0 connecting):
       14-15[2]: ESTABLISHED 5 minutes ago, 192.168.11.50[192.168.11.50]...192.168.11.40[192.168.11.40]

ipsec statusall

Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, mips):
  uptime: 7 minutes, since Jul 09 16:20:58 2020
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
  192.168.15.254
  192.168.11.50
Connections:
       14-15:  192.168.11.50...192.168.11.40  IKEv1/2
       14-15:   local:  [192.168.11.50] uses pre-shared key authentication
       14-15:   remote: [192.168.11.40] uses pre-shared key authentication
       14-15:   child:  192.168.15.0/32 === 192.168.15.0/32 TUNNEL
Security Associations (1 up, 0 connecting):
       14-15[2]: ESTABLISHED 5 minutes ago, 192.168.11.50[192.168.11.50]...192.168.11.40[192.168.11.40]
       14-15[2]: IKEv2 SPIs: a2909fe5c4e80a81_i 4a87d965367a165a_r*, pre-shared key reauthentication in 2 hours
       14-15[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072

now the problem is , I can not ping from router to router , or pc to pc

I think it might related to firewall policy , but I have no idea how to change rules.
any suggestions will be appreciated , thanks !!!!

rightsubnet should be 192.168.14.0/255.255.255.0 on node B.

Only the IKE SA is established, the CHILD SA failed.

ok , I update the rightsubnet to 192.168.14.0/255.255.255.0 on node B

now the ipsec status shows

Security Associations (1 up, 0 connecting):
       14-15[1]: ESTABLISHED 111 seconds ago, 192.168.11.50[192.168.11.50]...192.168.11.40[192.168.11.40]
       14-15{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c61388f4_i c4fd903a_o
       14-15{1}:   192.168.15.0/32 === 192.168.14.0/32

and ipsec statusall

Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, mips):
  uptime: 22 seconds, since Jul 09 22:05:37 2020
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
  192.168.15.254
  192.168.11.50
Connections:
       14-15:  192.168.11.50...192.168.11.40  IKEv1/2
       14-15:   local:  [192.168.11.50] uses pre-shared key authentication
       14-15:   remote: [192.168.11.40] uses pre-shared key authentication
       14-15:   child:  192.168.15.0/32 === 192.168.14.0/32 TUNNEL
Security Associations (1 up, 0 connecting):
       14-15[1]: ESTABLISHED 17 seconds ago, 192.168.11.50[192.168.11.50]...192.168.11.40[192.168.11.40]
       14-15[1]: IKEv2 SPIs: f7051d038cf77337_i* 15f73c850b7fa059_r, pre-shared key reauthentication in 2 hours
       14-15[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
       14-15{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c61388f4_i c4fd903a_o
       14-15{1}:  AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
       14-15{1}:   192.168.15.0/32 === 192.168.14.0/32

but I'm still not be able to ping to remote router or remote LAN .

The tunnel is now established, but the subnet masks are still wrong, they should both be /24.

Try replacing /255.255.255.0 with /24 in ipsec.conf on both peers.

node B
ipsec status

Security Associations (1 up, 0 connecting):
       14-15[1]: ESTABLISHED 25 seconds ago, 192.168.11.50[192.168.11.50]...192.168.11.40[192.168.11.40]
       14-15{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c129f9e7_i cc183ba4_o
       14-15{1}:   192.168.15.0/24 === 192.168.14.0/24

ipsec statusalll

Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, mips):
  uptime: 61 seconds, since Jul 10 07:06:40 2020
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
  192.168.15.254
  192.168.11.50
Connections:
       14-15:  192.168.11.50...192.168.11.40  IKEv1/2
       14-15:   local:  [192.168.11.50] uses pre-shared key authentication
       14-15:   remote: [192.168.11.40] uses pre-shared key authentication
       14-15:   child:  192.168.15.0/24 === 192.168.14.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
       14-15[1]: ESTABLISHED 55 seconds ago, 192.168.11.50[192.168.11.50]...192.168.11.40[192.168.11.40]
       14-15[1]: IKEv2 SPIs: eab6b5d9cc80fc5a_i* 93a95520d883d56e_r, pre-shared key reauthentication in 2 hours
       14-15[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
       14-15{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c129f9e7_i cc183ba4_o
       14-15{1}:  AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
       14-15{1}:   192.168.15.0/24 === 192.168.14.0/24

routing table

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.11.253  0.0.0.0         UG    0      0        0 eth0.2
192.168.11.0    *               255.255.255.0   U     0      0        0 eth0.2
192.168.15.0    *               255.255.255.0   U     0      0        0 br-lan

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether f0:9f:c2:08:5f:e2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f29f:c2ff:fe08:5fe2/64 scope link 
       valid_lft forever preferred_lft forever
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f0:9f:c2:08:5f:e2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.15.254/24 brd 192.168.15.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::f29f:c2ff:fe08:5fe2/64 scope link 
       valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether f0:9f:c2:08:5f:e2 brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f0:9f:c2:08:5f:e2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.11.50/24 brd 192.168.11.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::f29f:c2ff:fe08:5fe2/64 scope link 
       valid_lft forever preferred_lft forever
10: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000
    link/tunnel6 :: brd ::
11: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
12: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/tunnel6 :: brd ::

subnet mask is ok now , but still the same problem .

is there shoulld be an interface named ipsec after tunnel up ?
or I misconfig something ?

mtr from node B to remote lan

                                                    My traceroute  [v0.93]
OpenWrt-15 (192.168.15.254)                                                                              2020-07-10T07:10:14+0800
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                                         Packets               Pings
 Host                                                                                  Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 192.168.11.40                                                                      83.3%    13    0.6   0.7   0.6   0.7   0.0
 2. 192.168.11.40                                                                      83.3%    13    0.6   0.6   0.6   0.6   0.0
 3. 192.168.11.40                                                                      83.3%    13    0.6   0.6   0.6   0.7   0.1
 4. 192.168.11.40                                                                      91.7%    13    0.7   0.7   0.7   0.7   0.0
 5. 192.168.11.40                                                                      91.7%    13    0.5   0.5   0.5   0.5   0.0
 6. 192.168.11.40                                                                      75.0%    13    0.6   0.6   0.6   0.6   0.0
 7. (waiting for reply)
 8. (waiting for reply)
 9. (waiting for reply)
10. (waiting for reply)
11. 192.168.11.40                                                                      76.9%    13    0.6   0.6   0.6   0.6   0.0
12. (waiting for reply)
13. (waiting for reply)
14. (waiting for reply)
15. 192.168.11.40                                                                      90.9%    12    0.6   0.6   0.6   0.6   0.0
16. 192.168.11.40                                                                      81.8%    12    0.5   0.6   0.5   0.6   0.1
17. (waiting for reply)
18. 192.168.11.40                                                                      91.7%    12    0.6   0.6   0.6   0.6   0.0
19. (waiting for reply)
20. 192.168.11.40                                                                      90.9%    12    0.6   0.6   0.6   0.6   0.0
21. 192.168.11.40                                                                      87.5%     9    0.6   0.6   0.6   0.6   0.0
22. (waiting for reply)
23. 192.168.11.40                                                                      85.7%     8    0.6   0.6   0.6   0.6   0.0
24. (waiting for reply)

and tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.1, link-type EN10MB (Ethernet), capture size 262144 bytes
10:49:06.919556 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 8, seq 22043, length 64
10:49:06.920087 IP 192.168.11.40 > 192.168.15.70: ICMP 192.168.14.70 protocol 1 port 57297 unreachable, length 92
10:49:07.920865 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 8, seq 22044, length 64
10:49:07.921384 IP 192.168.11.40 > 192.168.15.70: ICMP 192.168.14.70 protocol 1 port 52683 unreachable, length 92
10:49:08.922008 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 8, seq 22045, length 64
10:49:08.922540 IP 192.168.11.40 > 192.168.15.70: ICMP 192.168.14.70 protocol 1 port 10438 unreachable, length 92
10:49:09.923228 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 8, seq 22046, length 64
10:49:09.923740 IP 192.168.11.40 > 192.168.15.70: ICMP 192.168.14.70 protocol 1 port 38080 unreachable, length 92
10:49:10.924442 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 8, seq 22047, length 64
10:49:10.924939 IP 192.168.11.40 > 192.168.15.70: ICMP 192.168.14.70 protocol 1 port 45754 unreachable, length 92
10:49:11.925554 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 8, seq 22048, length 64
10:49:11.926061 IP 192.168.11.40 > 192.168.15.70: ICMP 192.168.14.70 protocol 1 port 19637 unreachable, length 92

update

when I disable firewall for temporary on both node , then I can ping from lan to lan .

so it should related to firewall settings . but the question is I have no idea how to check ?

those firewall rules were all come from openwrt offical document.,

with this latest firewall config , I can ping from router to router , but not LAN to LAN

root@OpenWrt-15:~# cat /etc/config/firewall 
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'


config rule                                    
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option dest_port '22'
        option src 'wan'
        option name 'port_forward from 2213 to 22 for ssh admin'
        option src_dport '2213'
        option target 'DNAT'
        option dest_ip '192.168.15.254' #192.168.15.254' #LAN_IP
        option dest 'lan'
        list proto 'tcp'

config redirect
        option dest_port '80'
        option src 'wan'
        option name 'port_forward from 25480 to 80 for web admin'
        option src_dport '25480'
        option target 'DNAT'
        option dest_ip '192.168.15.254'   #192.168.15.254' #LAN_IP
        option dest 'lan'
        list proto 'tcp'

config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '12000'
        option name 'Allow-Wireguard-Inbound'
        
config rule
        option src '*'
	    option target 'ACCEPT'
	    option dest_port '7946'
	    option name 'wesher'
	    list proto 'tcp'
        list proto 'udp'

config rule
        option src '*'
	    option target 'ACCEPT'
	    option dest_port '5201'
	    option name 'iperf3'
	    list proto 'tcp'
	    list proto 'udp'

/etc/firewall.user wre both empty

If you want to see the route for IPsec traffic:

ip route list table 220

However, since ping works now, I believe the routes are OK.

No, this IPsec configuration does not create a new network interface.

Try this:

1 Like

that post did not work for my scenario.

I find a rule like this will make lan to lan works
BUT I think it's an insecure rule .

any suggestions to make it safe?

config rule
       option dest 'lan'
       option target 'ACCEPT'
       list proto 'all'
       option name 'for_vpn_LAN_to_LAN'
       #option src '*'
       option src 'wan'

What happened when you tried it?

Please show us the configuration you tried (after redacting any secrets):

  • /etc/ipsec.conf
  • /etc/config/network
  • /etc/config/firewall

and any other changes which might be relevant.

/etc/ipsec.conf

config setup
    # strictcrlpolicy=yes
    # uniqueids = no
    uniqueids=never

conn 14-15
        authby=secret
        left=192.168.11.50
        leftsubnet=192.168.15.0/24
        right=192.168.11.40
        rightsubnet=192.168.14.0/24
        auto=start

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.15.254'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'static'
	option broadcast '192.168.11.255'
	option gateway '192.168.11.253'
	option delegate '0'
	list dns '192.168.11.2'
	list dns '168.95.1.1'
	list dns '8.8.8.8'
	option netmask '255.255.255.0'
	option ipaddr '192.168.11.50'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'
	option extra_src   '-m policy --dir in --pol none'
	option extra_dest  '-m policy --dir out --pol none'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'
	option extra_src   '-m policy --dir in --pol none'
	option extra_dest  '-m policy --dir out --pol none'

config zone
  option name        vpn
  option input       ACCEPT
  option output      ACCEPT
  option forward     ACCEPT
  option subnet      192.168.10.0/24
  option extra_src   '-m policy --dir in --pol ipsec --proto esp'
  option extra_dest  '-m policy --dir out --pol ipsec --proto esp'
  option mtu_fix     1

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'port_forward from 2213 to 22 for ssh admin'
	option src_dport '2213'
	option target 'DNAT'
	option dest_ip '192.168.15.254'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'port_forward from 25480 to 80 for web admin'
	option src_dport '25480'
	option target 'DNAT'
	option dest_ip '192.168.15.254'
	option dest 'lan'
	list proto 'tcp'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '12000'
	option name 'Allow-Wireguard-Inbound'

config rule
	option src '*'
	option target 'ACCEPT'
	option dest_port '7946'
	option name 'wesher'
	list proto 'tcp'
	list proto 'udp'

config rule
	option src '*'
	option target 'ACCEPT'
	option dest_port '5201'
	option name 'iperf3'
	list proto 'tcp'
	list proto 'udp'

####################
#### IPSEC VPN #####
####################

config rule
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option proto 'ah'
	option target 'ACCEPT'

config rule
	option name 'Allow-IKE-input'
	option src 'wan'
	option proto 'udp'
	option dest_port '500 4500'
	option target 'ACCEPT'

ping from LAN to LAN returns nothing , no success no failure messages

tcpdump
(192.168.14.70 is coming from node A , and these ping request comes from 192.168.14.70 to 192.168.15.70 )

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
18:02:54.120248 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 23, seq 11561, length 64
18:02:55.144189 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 23, seq 11562, length 64
18:02:56.168195 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 23, seq 11563, length 64
18:02:57.192226 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 23, seq 11564, length 64
18:02:58.216145 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 23, seq 11565, length 64
18:02:59.240172 IP 192.168.15.70 > 192.168.14.70: ICMP echo request, id 23, seq 11566, length 64

Option subnet for the VPN firewall zone must be equal to rightsubnet from ipsec.conf.

  • node A: 192.168.15.0/24
  • node B : 192.168.14.0/24

UPDATE: You should also add forwarding rules for the VPN zone as required.

I update the subnet option to correct one
but 192.168.15.70 can not ping to 192.168.14.70
returns destination port unreachable.

would you please give me a example rules ?

On both node A and node B:

config forwarding
	option src		lan
	option dest		vpn

config forwarding
	option src		vpn
	option dest		lan

thanks ! it finally works !
but I'm wondering , is there any official latest document about these configurations ? (especially the firewall rule ? )

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.