Topic: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone
I am quite new to OpenWrt (used DD-Wrt a lot during the last couple of years, but finally want to get rid of it) and am very impressed of the project.
At the moment I am trying to set up a IPsec Road Warrior Configuration. Basically I would like to configure OpenWrt in a way, that I can log in to my private network from outside my LAN via IPsec and my iPhone.
What I did was:
- Following Wiki IPsec Basics
- Following Wiki IPsec Firewall
- Following Wiki IPsec Road Warrior Configuration
- And trying Wiki IPsec With Certificates
- Gooooooooooogle * 1000000000
- OpenWrt Forum Search
I am now struggling with it for three days and am about to give up :-( I really hope someone can help. Hardware is TP-Link TL-WDR4300, Build is openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-sysupgrade_attitude-adjustment_12-09-beta.
First of all the Wiki articles seem to be buggy (?) or not adaptet for Attitute Adjustment:
- The "ps" command has no "-ef" switch on my busybox, so I simply removed "-ef" from /etc/init.d/racoon
- There was also a problem with "blowfish" encryption. This is statet anywhere (sorry, can't remember where), but my Kernel was not able to run that. So I simply removed that option. Finally racoon started without any problems (just startet, but no connection possible)
- Then I followed the Firewall article but that broke my network connection. It says that you don't need to set up any Zone forwardings, but without you can't reach anything. Firewall does not seem to be an issue now, I can see that my iPhone is able to connect from outside. Possible, that my Firewall configuration is totally insecure atm, but since I'm just testing internally that is no real concern up to now (would like to get IPsec working first before thinking about that).
Then I tried to configure racoon (for almost 3 days) but didn't get my iPhone connecting to it, tried almost everything :-(
- When setting "exchange_mode" to "aggressive" I almost always get "ERROR: exchange Identity Protection not allowed in any applicable rmconf."
- When setting "exchange_mode" to "main" it seems to work better, but connection fails with "ERROR: mode config 6 from 192.168.1.109, but we have no ISAKMP-SA."
- Then I also played around with IPsec Certificates, this failed with "unknown certtype".
- Toggled almost every flag I found for racoon, no success
I could cry :-(
Please, I would be thankfull for any advice!!