Topic: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Dear all,

I am quite new to OpenWrt (used DD-Wrt a lot during the last couple of years, but finally want to get rid of it) and am very impressed of the project.

At the moment I am trying to set up a IPsec Road Warrior Configuration. Basically I would like to configure OpenWrt in a way, that I can log in to my private network from outside my LAN via IPsec and my iPhone.

What I did was:
- Following Wiki IPsec Basics
- Following Wiki IPsec Firewall
- Following Wiki IPsec Road Warrior Configuration
- And trying Wiki IPsec With Certificates
- Gooooooooooogle * 1000000000
- OpenWrt Forum Search
- :-(

I am now struggling with it for three days and am about to give up :-(   I really hope someone can help. Hardware is TP-Link TL-WDR4300, Build is openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-sysupgrade_attitude-adjustment_12-09-beta.

First of all the Wiki articles seem to be buggy (?) or not adaptet for Attitute Adjustment:
- The "ps" command has no "-ef" switch on my busybox, so I simply removed "-ef" from /etc/init.d/racoon
- There was also a problem with "blowfish" encryption. This is statet anywhere (sorry, can't remember where), but my Kernel was not able to run that. So I simply removed that option. Finally racoon started without any problems (just startet, but no connection possible)
- Then I followed the Firewall article but that broke my network connection. It says that you don't need to set up any Zone forwardings, but without you can't reach anything. Firewall does not seem to be an issue now, I can see that my iPhone is able to connect from outside. Possible, that my Firewall configuration is totally insecure atm, but since I'm just testing internally that is no real concern up to now (would like to get IPsec working first before thinking about that).

Then I tried to configure racoon (for almost 3 days) but didn't get my iPhone connecting to it, tried almost everything :-(
- When setting "exchange_mode" to "aggressive" I almost always get "ERROR: exchange Identity Protection not allowed in any applicable rmconf."
- When setting "exchange_mode" to "main" it seems to work better, but connection fails with "ERROR: mode config 6 from 192.168.1.109[500], but we have no ISAKMP-SA."
- Then I also played around with IPsec Certificates, this failed with "unknown certtype".
- Toggled almost every flag I found for racoon, no success

I could cry :-(

Please, I would be thankfull for any advice!!

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Hmm, noone with an idea? :-(

Struggled with it again today without success. Since I do not seem to be able to get racoon running properly I today tried strongswan. Read a few things about it and some articles mentioned that it is easier to configure and capable of serving for the iPhone.

What i did (again on Attitute Adjustment Beta):
- opkg install strongswan
- /etc/init.d/strongswan ==> does not exist
- /etc/inti.d/ipsec ==> does not exist

Anyway there is an article here in the forum, 2 users had the same problem of a non-existant init script. A brief reply of another user was to look at the strongswan readme (actually there is nothing about that in the readme as far as I have seen it). Searched a lot and found that it seems that the strongswan team decided not to include init scripts anymore. Bump.
Well, what is even worst, there does not seem to be a binary file for strongswan when i install it with opkg, so even with an init script nothing would run. That is the output of "opkg files strongswan":
Package strongswan (5.0.0-1) is installed on root and has the following files:
/usr/lib/ipsec/libhydra.so.0
/usr/lib/ipsec/libstrongswan.so.0
/usr/lib/ipsec/libstrongswan.so.0.0.0
/etc/ipsec.secrets
/etc/strongswan.conf
/usr/lib/ipsec/libhydra.so.0.0.0
/lib/upgrade/keep.d/strongswan

So how can I run it!? Tried to search the binary manually, did not find anything :-(

PLEASE, any advice (ether on racoon = most prefered, or strongswan) would be GREAT!

Will google around another few hours and then propably try openswan. Up to now IPsec + Road Warrior Setup + iPhone seems to be a no-go on OpenWrt ..... or I seem to be to stupid for OpenWrt smile

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Regarding strongswan installation: Yes, I have been to stupid :-)

Just in case anyone else ever struggles with it:
- You should not install "strongswan" but "strongswan-default", so "opkg update && opkg install strongswan-default"
- When installing it complained about "check_data_file_clashes: Package strongswan-utils wants to install file /usr/lib/ipsec/_copyright"  "But that file is already provided by package  * strongswan-mod-stroke"
- I simply deleted /usr/lib/ipsec/_copyright and re-run "opkg install strongswan-default"

There is still no init script in /etc/init.d but the deamon seems to be existing. Thats a huge progress.

Does anyone of you have prepared init script for it!?

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Managed to install and configure strongswan, the iPhone is also able to log-in. Now I am struggling with firewall settings, but that should not be a killer issue ;-)

Will post some kind of how-to when I am done, hopefully this can help anyone else trying to set up such a service.

5 (edited by rossini 2012-09-24 03:24:41)

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Yeah, it would help me, i was also struggling with the firewall. Trade this for  a week.
I Hope you have more luck.

Buffalo WBMR-HP-G300H Custom Build; Netgear WNDR3800 Custom Build;

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

I think I found the solution. Besides opening UDP ports 500 and 4500 you have to add the following iptables rule:
iptables -A input_wan -m policy --strict --dir in --pol ipsec --proto esp -j ACCEPT

It's now working in my case!!! Hurray!!! The only worrying thing is that I have no real clue what this rule means, have to search a bit to sleep well with my firwall setting.

Would anyone be so nice and explain the rule?

@rossini: Also working for you?

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Next update:
I think the mentioned iptables rule sould work, and it indeed does sometimes, but it does not work stable. When I look at LuCI in the firewall stats, I see that the rule is only triggered sometimes :-(

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

wjwj wrote:

Next update:
I think the mentioned iptables rule sould work, and it indeed does sometimes, but it does not work stable. When I look at LuCI in the firewall stats, I see that the rule is only triggered sometimes :-(

Seems that you have to set
forceencaps=yes
in ipsec.conf within the connection.

Still not able to verify that it runs stable ... but looks not too bad.

9 (edited by rossini 2012-09-24 20:52:00)

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Can't verify it now, but i was able to get a stable vpn connnection, but i was Not able to connect to the LAN devices. Only to the VPN Gateway itself. Can you Post your Network config + strongswan config so we can figure this Out together?
I was Using this Description http://wiki.strongswan.org/issues/218

Buffalo WBMR-HP-G300H Custom Build; Netgear WNDR3800 Custom Build;

10 (edited by wjwj 2012-09-24 21:40:08)

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Well, I now also wrote an init-script and it seems to work .... well, also thought that several times before wink

I followed this GREAT description, especially to generate valid certificates for iOS:
strongSwan iOS (Apple iPhone, iPad...) and Mac OS X

Here are all my config files. Basically the OpenWrt router's IP is 192.168.1.1, it serves as DHCP server for 192.168.1.0/24. I also configured strongswan in a way that it requests IP adresses from the DHCP, so probably you have to install package strongswan-mod-dhcp (I think that was the name of it).

ipsec.conf  .... I assume that these plutostart and nat_traversal settings are useless, but who knows:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    plutostart=yes
    nat_traversal=yes

# Add connections here.

conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsubnet=192.168.1.0/24
        rightsourceip=%dhcp
        rightcert=clientCert.pem
        forceencaps=yes
        auto=add

ipsec.secrets   ... I don't care about this password, it is just for testing and not reachable via internet at the moment:

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA serverKey.pem
otto : XAUTH "thisisotto"

strongswan.conf .... that is just for the DHCP plugin (see above):

# strongswan.conf - strongSwan configuration file

charon {
    dns1 = 192.168.1.1

    plugins {
        dhcp {
            server = 192.168.1.1
        }
    }
}

pluto {

}

libstrongswan {

    #  set to no, the DH exponent size is optimized
    #  dh_exponent_ansi_x9_42 = no
}

and finally /etc/init.d/ipsec   .... very basic at the moment, not yet sure about START and STOP, but it works:

#!/bin/sh /etc/rc.common
# ipsec init script

START=46
STOP=01
 
start() {        
    ipsec start
}                 
 
stop() {          
    ipsec stop
}

restart() {
    ipsec restart
}

And finally the Firewall settings:
- I simply opened the ports 500 and 4500 with LuCI
- In Custom Rules I added

iptables -A input_wan -m policy --strict --dir in --pol ipsec --proto esp -j ACCEPT

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

how did you get the dhcp plugin to work. it won't load. did you make a custom build?

Buffalo WBMR-HP-G300H Custom Build; Netgear WNDR3800 Custom Build;

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

rossini wrote:

how did you get the dhcp plugin to work. it won't load. did you make a custom build?

No, I am using the latest Attitude Adjustment Beta on an TP-Link TL-WDR4300 (openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-sysupgrade).
opkg update && opkg install strongswan-mod-dhcp
did the job.

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Hi,

ok i figured the dhcp out.
I was using a custom-build where strongswan was included, but not the strongswan-mod-dhcp.
I installed now AA and generated all Certs and used your configs.

I am able to connect but i cannot reach the LAN-Clients. Dont know why.
In the ipsec-log i got messages like this.

07[KNL] received netlink error: Function not implemented (89)
07[KNL] unable to add SAD entry with SPI ccc321fa
07[KNL] received netlink error: Function not implemented (89)
07[KNL] unable to add SAD entry with SPI 07d0af31
07[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Buffalo WBMR-HP-G300H Custom Build; Netgear WNDR3800 Custom Build;

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Hmm, looks like something in your kernel is missing, unfortunately I am no kernel expert. What strongswan-package did you install? I installed strongswan-default ("opkg update && opkg install strongswan-default"). Maybe there are some strongswan kernel modules missing in your installation??

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

jep ... strongswan-default + strongswan-mod-dhcp

Buffalo WBMR-HP-G300H Custom Build; Netgear WNDR3800 Custom Build;

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

... installed no wifi-driver, so there was no crypto module.
i can establishe now the connection and the errors are gone. But, i just able to see my gateway router. nothing else in the LAN.

Buffalo WBMR-HP-G300H Custom Build; Netgear WNDR3800 Custom Build;

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Well, for me this custom iptables rule did the job. Did you restart the firewall after inserting (just to make sure)?

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Yes, restarted firewall. Can you please Post your complete Firewall config? Just to make sure i didn't make any other mistakes.

Buffalo WBMR-HP-G300H Custom Build; Netgear WNDR3800 Custom Build;

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

rossini wrote:

Yes, restarted firewall. Can you please Post your complete Firewall config? Just to make sure i didn't make any other mistakes.

# Generated by iptables-save v1.4.10 on Tue Sep 25 20:31:35 2012
*nat
:PREROUTING ACCEPT [14468:1646026]
:INPUT ACCEPT [1411:115471]
:OUTPUT ACCEPT [1731:130678]
:POSTROUTING ACCEPT [156:19343]
:nat_reflection_in - [0:0]
:nat_reflection_out - [0:0]
:postrouting_rule - [0:0]
:prerouting_lan - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
:zone_lan_nat - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_nat - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j prerouting_rule 
-A PREROUTING -i br-lan -j zone_lan_prerouting 
-A PREROUTING -i eth0.2 -j zone_wan_prerouting 
-A POSTROUTING -j postrouting_rule 
-A POSTROUTING -o br-lan -j zone_lan_nat 
-A POSTROUTING -o eth0.2 -j zone_wan_nat 
-A postrouting_rule -j nat_reflection_out 
-A prerouting_rule -j nat_reflection_in 
-A zone_lan_prerouting -j prerouting_lan 
-A zone_wan_nat -j MASQUERADE 
-A zone_wan_prerouting -j prerouting_wan 
COMMIT
# Completed on Tue Sep 25 20:31:35 2012
# Generated by iptables-save v1.4.10 on Tue Sep 25 20:31:35 2012
*raw
:PREROUTING ACCEPT [2438727:2512608691]
:OUTPUT ACCEPT [7537:1864992]
:zone_lan_notrack - [0:0]
:zone_wan_notrack - [0:0]
-A PREROUTING -i br-lan -j zone_lan_notrack 
-A PREROUTING -i eth0.2 -j zone_wan_notrack 
COMMIT
# Completed on Tue Sep 25 20:31:35 2012
# Generated by iptables-save v1.4.10 on Tue Sep 25 20:31:35 2012
*mangle
:PREROUTING ACCEPT [2438727:2512608691]
:INPUT ACCEPT [12318:1371598]
:FORWARD ACCEPT [2423829:2510417392]
:OUTPUT ACCEPT [7537:1864992]
:POSTROUTING ACCEPT [2431366:2512282384]
:zone_wan_MSSFIX - [0:0]
-A FORWARD -j zone_wan_MSSFIX 
-A zone_wan_MSSFIX -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
COMMIT
# Completed on Tue Sep 25 20:31:35 2012
# Generated by iptables-save v1.4.10 on Tue Sep 25 20:31:35 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward - [0:0]
:forwarding_lan - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input - [0:0]
:input_lan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:nat_reflection_fwd - [0:0]
:output - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan - [0:0]
:zone_lan_ACCEPT - [0:0]
:zone_lan_DROP - [0:0]
:zone_lan_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_wan - [0:0]
:zone_wan_ACCEPT - [0:0]
:zone_wan_DROP - [0:0]
:zone_wan_REJECT - [0:0]
:zone_wan_forward - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood 
-A INPUT -j input_rule 
-A INPUT -j input 
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j forwarding_rule 
-A FORWARD -j forward 
-A FORWARD -j reject 
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -j output_rule 
-A OUTPUT -j output 
-A forward -i br-lan -j zone_lan_forward 
-A forward -i eth0.2 -j zone_wan_forward 
-A forwarding_rule -j nat_reflection_fwd 
-A input -i br-lan -j zone_lan 
-A input -i eth0.2 -j zone_wan 
-A input_wan -m policy --dir in --pol ipsec --strict --proto esp -j ACCEPT 
-A output -j zone_lan_ACCEPT 
-A output -j zone_wan_ACCEPT 
-A reject -p tcp -j REJECT --reject-with tcp-reset 
-A reject -j REJECT --reject-with icmp-port-unreachable 
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN 
-A syn_flood -j DROP 
-A zone_lan -j input_lan 
-A zone_lan -j zone_lan_ACCEPT 
-A zone_lan_ACCEPT -o br-lan -j ACCEPT 
-A zone_lan_ACCEPT -i br-lan -j ACCEPT 
-A zone_lan_DROP -o br-lan -j DROP 
-A zone_lan_DROP -i br-lan -j DROP 
-A zone_lan_REJECT -o br-lan -j reject 
-A zone_lan_REJECT -i br-lan -j reject 
-A zone_lan_forward -j zone_wan_ACCEPT 
-A zone_lan_forward -j forwarding_lan 
-A zone_lan_forward -j zone_lan_REJECT 
-A zone_wan -p udp -m udp --dport 68 -j ACCEPT 
-A zone_wan -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A zone_wan -p udp -m udp --dport 500 -j ACCEPT 
-A zone_wan -p udp -m udp --dport 4500 -j ACCEPT 
-A zone_wan -j input_wan 
-A zone_wan -j zone_wan_REJECT 
-A zone_wan_ACCEPT -o eth0.2 -j ACCEPT 
-A zone_wan_ACCEPT -i eth0.2 -j ACCEPT 
-A zone_wan_DROP -o eth0.2 -j DROP 
-A zone_wan_DROP -i eth0.2 -j DROP 
-A zone_wan_REJECT -o eth0.2 -j reject 
-A zone_wan_REJECT -i eth0.2 -j reject 
-A zone_wan_forward -j forwarding_wan 
-A zone_wan_forward -j zone_wan_REJECT 
COMMIT
# Completed on Tue Sep 25 20:31:35 2012

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Thanks, ... i don't know what to do. iprules are the same except your eth0.2 is in mine pppoa-wan.

Buffalo WBMR-HP-G300H Custom Build; Netgear WNDR3800 Custom Build;

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Sorry, can't really help. Just tell me if you need anything else. Maybe there is something wrong in your routing table?? (just a guess)

As far as I struggled with it I found that this rightsubnet setting in ipsec.conf is quite crucial. Then I also had to add forceencaps=yes in ipsec.conf, otherwise it seemed that iptables (the kernel??, the ipsec daemon??) did not mask/mark the ipsec packages correctly. Afterwards it just worked.

My project for the weekend is to reset the router again and to config everything from scratch again ... not just test-settings, but the stable-seetings of it ... i.e. no more "thisisotto" as password wink     Up to now I also did not activate wlan. Hopefully it will also work after resetting everything. I'll definetly report.

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

smile good luck and many thanks. i will research about the routing-tables.

Buffalo WBMR-HP-G300H Custom Build; Netgear WNDR3800 Custom Build;

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

one question:
do you also have this messages in logs:

06[KNL] NAT mappings of ESP CHILD_SA with SPI c4be149a and reqid {1} changed, queuing update job

Buffalo WBMR-HP-G300H Custom Build; Netgear WNDR3800 Custom Build;

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

rossini wrote:

one question:
do you also have this messages in logs:

06[KNL] NAT mappings of ESP CHILD_SA with SPI c4be149a and reqid {1} changed, queuing update job

Will check and post asap, but I won't be at home for the next two days.

25 (edited by wjwj 2012-09-29 16:11:37)

Re: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

Back again. Regarding the [NNL] NAT mappings of ESP ...  in which logfile do you get that one?

Today I set up StrongSwan in my productive environment. Despite everything working in my testing environment I can only reach my Gateway and nothing else in LAN (same situation like rossini). Seems that the search starts from the beginning again.

@rossini: Did you have any luck in the meantime?

Edit:
Funny. Can reach my gateway on 172.16.0.1, AND my Switch web interface on 172.16.0.2 but nothing else. I'd say that is strange!