Hi,
I've successfully created a tunnel between my OpenWRT router and a pfSense Virtual Machine elsewhere on the internet. Phase 1 and 2 of the IPSEC tunnel are successfully negotiated and the tunnel is "up". However, i'm unable to ping across the tunnel and I suspect this may be due to firewall settings on the OpenWRT end - on the pfSense end all traffic is permitted to and from the tunnel. Indeed, if I initiate a ping from the pfSense side, I can see the ESP packets arriving on the OpenWRT's WAN interface.
Beyond permitting IPSEC traffic with the following rules in /etc/config/firewall i've made no firewalling changes;
config rule
option src 'wan'
option name 'IPSec ESP'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec IKE'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec NAT-T'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'Auth Header'
option proto 'ah'
option target 'ACCEPT'
The firewall page on the OpenWRT wiki is a bit confusing. From what I can understand, it binds the IPSEC tunnel to a new VPN zone and policies are applied based on that - this matches my experience with commercial products. However, with a StrongSwan IPSEC connection, there is no interface I can bind to the VPN zone.
In short, i'm a little confused as to what firewall changes I need to make in order to permit the decrypted IPSEC traffic to be processed, rather than being dropped as seems to be the case now. The connection configuration on the OpenWRT side is below, and is near identical on the pfSense side aside from changing left/right etc. 10.0.0.0/24 is the subnet of my OpenWRT LAN.
conn pfsense
left=1.1.1.1
leftid=1.1.1.1
leftsubnet=10.0.0.0/24
right=2.2.2.2
rightid=2.2.2.2
rightsubnet=192.168.1.0/24
authby=secret
auto=start
ike=3des-sha1-modp1024!
esp = aes256-sha1!
If anyone could offer any insight, it would be appreciated. Thanks.
Edit: I should note that i'm running BarrierBreaker 14.07-rc3.
(Last edited by KingJ on 10 Sep 2014, 16:44)