Hi.
I'm trying to establish a ipsec vpn connection between a Unifi EdgeOS and a TP-link Archer C7 with openwrt.
This is my setup.
Unifi EdgeOS
192.168.1.0/24
conn peer-87.56.*.*-tunnel-1
left=77.68.*.*
right=87.56.*.*
leftsubnet=192.168.1.0/24
rightsubnet=192.168.62.0/24
ike=aes256-sha1-modp3072!
keyexchange=ikev1
ikelifetime=28800s
esp=aes256-sha1-modp3072!
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
auto=route
keyingtries=%forever
#conn peer-85.202.*.*-tunnel-2
Tp-link Openwrt
This is behind a router with DMZ forward to 192.168.201.10
192.168.62.0/24
conn peer-77.68.*.*-tunnel-1
lefthostaccess=yes
forceencaps=yes
leftallowany=yes
leftfirewall=yes
left=192.168.201.10
right=77.68.*.*
leftid=87.56.*.*
leftsubnet=192.168.62.0/24
rightsubnet=192.168.1.0/24
ike=aes256-sha1-modp3072!
keyexchange=ikev1
ikelifetime=28800s
esp=aes256-sha1-modp3072!
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
auto=start
keyingtries=%forever
#conn peer-77.68.*.*-tunnel-1
root@OpenWrt:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.179, mips):
uptime: 3 seconds, since Mar 08 14:09:32 2022
worker threads: 9 of 16 idle, 6/0/0/1 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
192.168.62.1
fd3d:2b14:1277::1
192.168.201.10
Connections:
peer-77.68.*.*-tunnel-1: 192.168.201.10,0.0.0.0/0,::/0...77.68.*.* IKEv1
peer-77.68.*.*-tunnel-1: local: [87.56.*.*] uses pre-shared key authentication
peer-77.68.*.*-tunnel-1: remote: [77.68.*.*] uses pre-shared key authentication
peer-77.68.*.*-tunnel-1: child: 192.168.62.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
peer-77.68.*.*-tunnel-1[1]: ESTABLISHED 11 minutes ago, 192.168.201.10[87.56.*.*]...77.68.*.*[77.68.*.*]
peer-77.68.*.*-tunnel-1[1]: IKEv1 SPIs: eda2277f9bb1f5f5_i* 4092190c32040b14_r, pre-shared key reauthentication in 7 hours
peer-77.68.*.*-tunnel-1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
I know the firewall setting on the EdgeOS is correct. I had this running on the 19. version. But after upgrade to newer router with 21. version, i cant access the other site.
This is my firewall setup on tp-link openwrt.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option extra_src '-m policy --dir in --pol none'
option extra_dest '-m policy --dir out --pol none'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option extra_src '-m policy --dir in --pol none'
option extra_dest '-m policy --dir out --pol none'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
list proto 'icmp'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'lan'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'lan'
option enabled '0'
config rule
option src 'wan'
option name 'IPSec-NAT-T'
option proto 'udp'
option dest_port '500 4500'
option target 'ACCEPT'
config rule
option name 'Allow-ESP-input'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'AllowWANWeb'
option src 'wan'
option dest_port '80'
option target 'ACCEPT'
list proto 'tcp'
list src_ip '77.68.*.*'
list src_ip '85.27.*.*'
config rule
option name 'SSH'
list proto 'tcp'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
list src_ip '77.68.*.*'
list src_ip '85.27.*.*'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option extra_src '-m policy --dir in --pol ipsec --proto esp'
option extra_dest '-m policy --dir out --pol ipsec --proto esp'
list subnet '192.168.1.0/24'
This is my custom rules
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
Please help. I need full passthrough. But i cant connect from any site. I'm sure the firewall setting on the ubnt edgeos is correct.
Best regards
Nicklas