VPN Ipsec Strongswan 21.02.2 Firewall problem

Hi.

I'm trying to establish a ipsec vpn connection between a Unifi EdgeOS and a TP-link Archer C7 with openwrt.

This is my setup.

Unifi EdgeOS
192.168.1.0/24

conn peer-87.56.*.*-tunnel-1
        left=77.68.*.*
        right=87.56.*.*
        leftsubnet=192.168.1.0/24
        rightsubnet=192.168.62.0/24
        ike=aes256-sha1-modp3072!
        keyexchange=ikev1
        ikelifetime=28800s
        esp=aes256-sha1-modp3072!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-85.202.*.*-tunnel-2

Tp-link Openwrt
This is behind a router with DMZ forward to 192.168.201.10
192.168.62.0/24

conn peer-77.68.*.*-tunnel-1
        lefthostaccess=yes
        forceencaps=yes
        leftallowany=yes
        leftfirewall=yes
        left=192.168.201.10
        right=77.68.*.*
        leftid=87.56.*.*
        leftsubnet=192.168.62.0/24
        rightsubnet=192.168.1.0/24
        ike=aes256-sha1-modp3072!
        keyexchange=ikev1
        ikelifetime=28800s
        esp=aes256-sha1-modp3072!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=start
        keyingtries=%forever
#conn peer-77.68.*.*-tunnel-1
root@OpenWrt:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.179, mips):
  uptime: 3 seconds, since Mar 08 14:09:32 2022
  worker threads: 9 of 16 idle, 6/0/0/1 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
  192.168.62.1
  fd3d:2b14:1277::1
  192.168.201.10
Connections:
peer-77.68.*.*-tunnel-1:  192.168.201.10,0.0.0.0/0,::/0...77.68.*.*  IKEv1
peer-77.68.*.*-tunnel-1:   local:  [87.56.*.*] uses pre-shared key authentication
peer-77.68.*.*-tunnel-1:   remote: [77.68.*.*] uses pre-shared key authentication
peer-77.68.*.*-tunnel-1:   child:  192.168.62.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
peer-77.68.*.*-tunnel-1[1]: ESTABLISHED 11 minutes ago, 192.168.201.10[87.56.*.*]...77.68.*.*[77.68.*.*]
peer-77.68.*.*-tunnel-1[1]: IKEv1 SPIs: eda2277f9bb1f5f5_i* 4092190c32040b14_r, pre-shared key reauthentication in 7 hours
peer-77.68.*.*-tunnel-1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072

I know the firewall setting on the EdgeOS is correct. I had this running on the 19. version. But after upgrade to newer router with 21. version, i cant access the other site.

This is my firewall setup on tp-link openwrt.

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option extra_src '-m policy --dir in --pol none'
        option extra_dest '-m policy --dir out --pol none'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option extra_src '-m policy --dir in --pol none'
        option extra_dest '-m policy --dir out --pol none'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        list proto 'icmp'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option proto 'esp'
        option target 'ACCEPT'
        option dest 'lan'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option dest 'lan'
        option enabled '0'

config rule
        option src 'wan'
        option name 'IPSec-NAT-T'
        option proto 'udp'
        option dest_port '500 4500'
        option target 'ACCEPT'

config rule
        option name 'Allow-ESP-input'
        option src 'wan'
        option proto 'esp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'AllowWANWeb'
        option src 'wan'
        option dest_port '80'
        option target 'ACCEPT'
        list proto 'tcp'
        list src_ip '77.68.*.*'
        list src_ip '85.27.*.*'

config rule
        option name 'SSH'
        list proto 'tcp'
        option src 'wan'
        option dest_port '22'
        option target 'ACCEPT'
        list src_ip '77.68.*.*'
        list src_ip '85.27.*.*'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        option extra_src '-m policy --dir in --pol ipsec --proto esp'
        option extra_dest '-m policy --dir out --pol ipsec --proto esp'
        list subnet '192.168.1.0/24'

This is my custom rules

iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

Please help. I need full passthrough. But i cant connect from any site. I'm sure the firewall setting on the ubnt edgeos is correct.

Best regards

Nicklas

Did you managed to figure this out? Having somewhat similar issues on IKEv1 as you have, the only diff is that I am not even reaching the establisged state. The same exact ipsec config works flawlessly on a VM behind the OWRT router, where it does not work.

Can it be that we are missing something firewall-wise? Either a kernel module, or something has to be configured differently for nftables (firewall4)?

Hi. Try this first
opkg install kmod-crypto-gcm

I managed to fix the tunnel itself ( this is how ), but the routing is still crap.