I'm trying to build ipsec tunnel with strongswan in openwrt 19.07.3 in lab.
here are the information
node A
wanIP: 192.168.11.40/24
WANGW: 192.168.11.253
LANIP: 192.168.14.254/24
node B
wanIP: 192.168.11.50/24
WANGW: 192.168.11.253
LANIP: 192.168.15.254/24
node A config files
/etc/ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids = no
uniqueids=never
conn 14-15
authby=secret
left=192.168.11.40
leftsubnet=192.168.14.0/255.255.255.0
# leftnexthop=192.168.11.253 #deprecated keyword
right=192.168.11.50
rightsubnet=192.168.15.0/255.255.255.0
# rightnexthop=192.168.11.253 #deprecated keyword
auto=start
/etc/ipsec.secrets
192.168.11.40 192.168.11.50 : PSK "whateverpasswordyouwant"
/etc/firewall.user
### IPSec VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
iptables -I POSTROUTING 1 -s 192.168.14.0/24 -j MASQUERADE -t nat
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
node B config files
/etc/ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids = no
uniqueids=never
conn 14-15
authby=secret
left=192.168.11.50
leftsubnet=192.168.15.0/255.255.255.0
# leftnexthop=192.168.11.253 #deprecated keyword
right=192.168.11.40
rightsubnet=192.168.15.0/255.255.255.0
# rightnexthop=192.168.11.253 #deprecated keyword
auto=start
/etc/ipsec.secrets
192.168.11.50 192.168.11.40 : PSK "whateverpasswordyouwant"
/etc/firewall.user
### IPSec VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
iptables -I POSTROUTING 1 -s 192.168.15.0/24 -j MASQUERADE -t nat
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
now , the tunnel is up
node A ipsec status
Security Associations (1 up, 0 connecting):
14-15[1]: ESTABLISHED 4 minutes ago, 192.168.11.40[192.168.11.40]...192.168.11.50[192.168.11.50]
ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, mips):
uptime: 5 minutes, since Jul 09 16:22:34 2020
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
192.168.14.254
192.168.11.40
Connections:
14-15: 192.168.11.40...192.168.11.50 IKEv1/2
14-15: local: [192.168.11.40] uses pre-shared key authentication
14-15: remote: [192.168.11.50] uses pre-shared key authentication
14-15: child: 192.168.14.0/32 === 192.168.15.0/32 TUNNEL
Security Associations (1 up, 0 connecting):
14-15[1]: ESTABLISHED 5 minutes ago, 192.168.11.40[192.168.11.40]...192.168.11.50[192.168.11.50]
14-15[1]: IKEv2 SPIs: a2909fe5c4e80a81_i* 4a87d965367a165a_r, pre-shared key reauthentication in 2 hours
14-15[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
node B ipsec status
Security Associations (1 up, 0 connecting):
14-15[2]: ESTABLISHED 5 minutes ago, 192.168.11.50[192.168.11.50]...192.168.11.40[192.168.11.40]
ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, mips):
uptime: 7 minutes, since Jul 09 16:20:58 2020
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
192.168.15.254
192.168.11.50
Connections:
14-15: 192.168.11.50...192.168.11.40 IKEv1/2
14-15: local: [192.168.11.50] uses pre-shared key authentication
14-15: remote: [192.168.11.40] uses pre-shared key authentication
14-15: child: 192.168.15.0/32 === 192.168.15.0/32 TUNNEL
Security Associations (1 up, 0 connecting):
14-15[2]: ESTABLISHED 5 minutes ago, 192.168.11.50[192.168.11.50]...192.168.11.40[192.168.11.40]
14-15[2]: IKEv2 SPIs: a2909fe5c4e80a81_i 4a87d965367a165a_r*, pre-shared key reauthentication in 2 hours
14-15[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
now the problem is , I can not ping from router to router , or pc to pc
I think it might related to firewall policy , but I have no idea how to change rules.
any suggestions will be appreciated , thanks !!!!