Unable to tunnel lan traffic on IPsec tunnel using strongswan on OpenWrt router running on raspberry pi 3b+

sirajsaadi · June 18, 2019, 11:17am

I have configured Openwrt on raspberry pi 3b+ using a snapshot version of openwrt. I eliminate all the chains from iptables and flush the iptables rules. There is only one rule in postrouting chain to masquerade. I am able to run Internet on lan devices (lan on wifi network, wan on Ethernet). Then i have install strongswan (on openwrt and on centos 7) and able to establish an IPSec tunnel (site to site VPN). While connected on raspberry pi 3b+ using HDMI all my traffic tunnel to the VPN server means internet in working fine (getting a response from curl and ping). Now once i connect a device on wifi network there is no Internet

Here is my openwrt router configuration: ipsec.conf

conn conn-p
	#strictcrlpolicy=no
	authby=secret
	keyexchange=ikev1
	left=%defaultroute
  	leftsubnet=0.0.0.0/0
	leftfirewall=yes
  	right=95.216.212.162
  	rightsubnet=0.0.0.0/0
  	rightid=
	#ike=aes256-sha2_256-modp1024!
  	#esp=aes256-sha2_256!
  	keyingtries=0
  	ikelifetime=1h
  	lifetime=8h
  	dpddelay=30
  	dpdtimeout=120
  	dpdaction=restart
  	auto=add
	rightdns=10.10.1.1
#	mark=42
strongswan.conf

charon {
        install_routes=yes
        install_virtual_ip=yes


ifconfig before tunnel

eth0      Link encap:Ethernet  HWaddr B8:27:EB:B0:52:8E  
          inet addr:192.168.0.26  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::ba27:ebff:feb0:528e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:293 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:37560 (36.6 KiB)  TX bytes:2612 (2.5 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4124 (4.0 KiB)  TX bytes:4124 (4.0 KiB)

wlan0     Link encap:Ethernet  HWaddr B8:27:EB:E5:07:DB  
          inet addr:10.10.4.1  Bcast:10.10.4.255  Mask:255.255.255.0
          inet6 addr: fe80::ba27:ebff:fee5:7db/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:1614 (1.5 KiB)
		  

Creating a VTI tunnel

ip tunnel add ipsec0 local 10.10.0.14 remote 95.216.212.162 mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.0.0.0/8 dev ipsec0
ifconfig ipsec0 10.10.0.14 netmask 255.255.255.0 broadcast 10.10.0.255


connecting IPSec tunnel
ipsec statusall on openwrt

Status of IKE charon daemon (strongSwan 5.8.0, Linux 4.14.123, aarch64):
  uptime: 7 minutes, since Jun 18 09:32:17 2019
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon addrblock af-alg agent attr blowfish ccm cmac connmark constraints ctr curl curve25519 des dhcp dnskey duplicheck eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls farp fips-prf forecast gcm gcrypt gmp ldap led md4 md5 mysql openssl pem pgp pkcs1 pkcs11 pkcs12 pkcs7 pkcs8 pubkey random rc2 resolve revocation smp sqlite sshkey test-vectors unity vici whitelist x509 xauth-eap xauth-generic xcbc nonce aes sha1 sha2 hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
  192.168.0.26
  10.10.4.1
  10.10.0.14
Connections:
    net-net1:  %any...95.216.212.162  IKEv1, dpddelay=300s
    net-net1:   local:  uses pre-shared key authentication
    net-net1:   remote: [global.safelabs.net] uses pre-shared key authentication
    net-net1:   child:  192.168.1.0/24 === 10.10.1.0/24 TUNNEL, dpdaction=clear
  conn-ikev2:  %any...95.216.212.162  IKEv2, dpddelay=300s
  conn-ikev2:   local:  uses EAP authentication with EAP identity 'sqltest'
  conn-ikev2:   remote: [95.216.212.162] uses public key authentication
  conn-ikev2:   child:  192.168.0.0/16 === 10.10.1.0/24 TUNNEL, dpdaction=clear
      conn-p:  %any...95.216.212.162  IKEv1, dpddelay=30s
      conn-p:   local:  [192.168.0.26] uses pre-shared key authentication
      conn-p:   remote: [global.safelabs.net] uses pre-shared key authentication
      conn-p:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
         IK1:  %any...------  IKEv2, dpddelay=300s
         IK1:   local:  uses public key authentication
         IK1:   remote: [-----] uses public key authentication
         IK1:   child:  dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
      conn-p[1]: ESTABLISHED 7 minutes ago, 192.168.0.26[192.168.0.26]...95.216.212.162[-----]
      conn-p[1]: IKEv1 SPIs: 817b867c2c5d77ee_i* 5efa2029856f7577_r, rekeying disabled
      conn-p[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      conn-p{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c298a5fc_i c7b7e976_o
      conn-p{1}:  AES_CBC_128/HMAC_SHA2_256_128/MODP_2048, 59308 bytes_i (1111 pkts, 29s ago), 23822 bytes_o (436 pkts, 29s ago), rekeying disabled
      conn-p{1}:   10.0.0.0/8 === 0.0.0.0/0


ping from openwrt (while connected on hdmi)

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=39 time=193.995 ms
64 bytes from 8.8.8.8: seq=1 ttl=39 time=188.339 ms
64 bytes from 8.8.8.8: seq=2 ttl=39 time=185.797 ms

 iptables
# Generated by iptables-save v1.8.2 on Tue Jun 18 11:15:25 2019
*nat
:PREROUTING ACCEPT [3961:589682]
:INPUT ACCEPT [2445:202214]
:OUTPUT ACCEPT [443:34025]
:POSTROUTING ACCEPT [637:44128]
-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
COMMIT
# Completed on Tue Jun 18 11:15:25 2019
# Generated by iptables-save v1.8.2 on Tue Jun 18 11:15:25 2019
*mangle
:PREROUTING ACCEPT [9598:2016471]
:INPUT ACCEPT [8548:1717666]
:FORWARD ACCEPT [44:2288]
:OUTPUT ACCEPT [1535:182929]
:POSTROUTING ACCEPT [1583:185473]
COMMIT
# Completed on Tue Jun 18 11:15:25 2019
# Generated by iptables-save v1.8.2 on Tue Jun 18 11:15:25 2019
*filter
:INPUT ACCEPT [11:2254]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:108]
-A FORWARD -d 10.0.0.0/8 -i eth0 -m policy --dir in --pol ipsec --reqid 2 --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -o eth0 -m policy --dir out --pol ipsec --reqid 2 --proto esp -j ACCEPT
COMMIT
# Completed on Tue Jun 18 11:15:25 2019

Although according to document and tutorial i found on Internet either we can use Route based VPN or policy based VPN. But my configuration is a mix of both. On strongswan.conf route_install=yes, leftfirewall=yes. On the other hand VTI tunnel is created (if i do not create it then there is no traffic on IPsec tunnel) and mark=42 is checked(if i unchecked it then there is no internet on openwrt after tunnel is connected). If i do not create a tunnel using ip command then no traffic on ipsec tunnel.

I need help

asitjoshi · July 11, 2019, 7:22pm

I am getting the same problem. Did you find any solution ?

Bernd · July 28, 2019, 8:16am

Creating a VTI tunnel

ip tunnel add ipsec0 local 10.10.0.14 remote 95.216.212.162 mode vti key 42
sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
ip link set ipsec0 up
ip route add 10.0.0.0/8 dev ipsec0
ifconfig ipsec0 10.10.0.14 netmask 255.255.255.0 broadcast 10.10.0.255

I'm trying to create ipsec0 tunnel now too.

Can someone tell me which local ip should I enter instead of 10.10.0.14?
95.216.212.162 is the remote ip from VPN Server?

ehaddad · October 31, 2021, 7:56pm

Hello how did resolve it finally?

thank you