Hello! I have read both articles and it did not explain anything to me. I have: net.ipv4.ip_forward=1 in sysctl.conf leftfirewall=yes, rightsubnet in ipsec.conf
On TP-Link I see in route table: destination: 192.168.2.0/24, gateway: N/A, flags: S, logical interface: eth1, physical interface: wan1, metric: 0 On OpenWRT I haven't routes for 192.168.1.0/24 I can't ping 192.168.2.1 from A.A.A.A and I can't ping 192.168.1.1 from B.B.B.B 2015-07-20 16:14 GMT+02:00 Noel Kuntze <[email protected]>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello Tomek, > > Read the introduction to strongswan and the article > about forwarding and split tunneling on the wiki. > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 20.07.2015 um 16:13 schrieb [email protected]: >> Hello! >> >> I have a lot of progress. IPsec connection set up properly. >> Unfortunately ping does not work between networks. In OpenVPN I had >> tunnels in interfaces with their own addresses. I set up routing >> between them. Now I don't see the ends of the IPsec tunnel in >> interfaces and don't know how to set routing. >> >> root@SomeWRT:~# ipsec statusall >> no files found matching '/etc/strongswan.d/*.conf' >> Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.49, mips): >> uptime: 11 seconds, since Jul 20 15:58:34 2015 >> malloc: sbrk 122880, mmap 0, used 116464, free 6416 >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 1 >> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc >> hmac attr kernel-netlink resolve socket-default stroke updown >> xauth-generic >> Listening IP addresses: >> 192.168.2.1 >> Connections: >> somename: B.B.B.B...A.A.A.A IKEv1 >> somename: local: [B.B.B.B] uses pre-shared key authentication >> somename: remote: [A.A.A.A] uses pre-shared key authentication >> somename: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL >> Security Associations (1 up, 0 connecting): >> somename[2]: ESTABLISHED 10 seconds ago, B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A] >> somename[2]: IKEv1 SPIs: xxxxxxxxxxxxxxxx_i xxxxxxxxxxxxxxxx_r*, >> rekeying disabled >> somename[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 >> somename{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: xxxxxxxx_i xxxxxxxx_o >> somename{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying >> disabled >> somename{1}: 192.168.2.0/24 === 192.168.1.0/24 >> >> 2015-07-20 14:19 GMT+02:00 Noel Kuntze <[email protected]>: >> Hello Tomek, >> >> I can tell from "Exchange Mode: Main" that it uses IKEv1. >> Append an @ to the IDs on the strongSwan side >> to force charon to send the ID as type FQDN, >> which the other side expects (you set ID type to FQDN). >> Use AES-128 instead of 3DES. You should also >> use SHA1, not MD5. Furthermore, you enabled PFS in >> the configuration on the TP link, but not in strongSwan. >> Append the correct dh group to your ESP cipher settings. >> >> Look at the logs in the webinterface to find out what the TP link >> side doesn't like. >> >> Mit freundlichen Grüßen/Regards, >> Noel Kuntze >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> Am 20.07.2015 um 13:58 schrieb [email protected]: >> >>> Hello! >> >>> >> >>> After the change from IKEv1 to IKEv2 I have errors as shown below. In >> >>> the settings TP-Link I don't see the possibility to change IKEv1/v2. I >> >>> don't know what is even set in TP-Link. A sample panel is visible on >> >>> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm. >> >>> What is best to change 3DES? >> >>> >> >>> root@SomeWRT:~# ipsec up somename >> >>> no files found matching '/etc/strongswan.d/*.conf' >> >>> initiating Main Mode IKE_SA somename[1] to A.A.A.A >> >>> generating ID_PROT request 0 [ SA V V V V ] >> >>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes) >> >>> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes) >> >>> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ] >> >>> received NO_PROPOSAL_CHOSEN error notify >> >>> establishing connection 'somename' failed >> >>> >> >>> 2015-07-19 22:32 GMT+02:00 Noel Kuntze <[email protected]>: >> >>>> >> >>> Hello Tomek, >> >>> >> >>> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is >> >>> very slow. >> >>> >> >>> Mit freundlichen Grüßen/Kind Regards, >> >>> Noel Kuntze >> >>> >> >>> GPG Key ID: 0x63EC6658 >> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >>> >> >>> Am 19.07.2015 um 13:34 schrieb tomek_byd: >> >>>>>> I don't know how to write the correct config file for the connection. >> >>>>>> My config is a conglomeration of many examples from the Internet. So >> >>>>>> far I havn't had contact with IPsec. I'm under the control of >> >>>>>> TL-ER6120 and OpenWRT so I can make changes on both devices. I see >> >>>>>> the error "IDr payload missing" but parameter "leftid" is set in the >> >>>>>> config file. >> >>>>>> >> >>>>>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> >> >>>>>> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24) >> >>>>>> >> >>>>>> TL-ER6120 configuration: >> >>>>>> IKE Proposal: MD5, 3DES, DH2 >> >>>>>> IKE Policy: >> >>>>>> Exchange Mode: main, >> >>>>>> Local ID Type: FQDN, >> >>>>>> Local ID: A.A.A.A >> >>>>>> Remote ID Type: FQDN >> >>>>>> Remote ID: B.B.B.B >> >>>>>> Pre-shared Key: XXXXXX >> >>>>>> SA Lifetime: 28800 >> >>>>>> DPD: Disable >> >>>>>> IPsec Proposal: ESP, MD5, 3DES >> >>>>>> IPsec Policy: >> >>>>>> Mode: LAN-to-LAN >> >>>>>> Local Subnet: 192.168.1.0/24 >> >>>>>> Remote Subnet: 192.168.2.0/24 >> >>>>>> WAN: WAN1 >> >>>>>> Remote Gateway: B.B.B.B >> >>>>>> Policy Mode: IKE >> >>>>>> PFS: DH2 >> >>>>>> SA Lifetime: 28800 >> >>>>>> >> >>>>>> OpenWRT configuration: >> >>>>>> /etc/ipsec.conf: >> >>>>>> config setup >> >>>>>> # strictcrlpolicy = no >> >>>>>> # uniqueids = no >> >>>>>> conn somename >> >>>>>> ikelifetime=60m >> >>>>>> keylife=20m >> >>>>>> rekeymargin=3m >> >>>>>> keyingtries=1 >> >>>>>> keyexchange=ikev2 >> >>>>>> type=tunnel >> >>>>>> authby=secret >> >>>>>> ike=3des-md5-modp1024! >> >>>>>> esp=3des-md5! >> >>>>>> rekey=no >> >>>>>> left=B.B.B.B >> >>>>>> leftid=B.B.B.B >> >>>>>> leftsubnet=192.168.2.0/24 >> >>>>>> leftauth=psk >> >>>>>> right=A.A.A.A >> >>>>>> rightid=A.A.A.A >> >>>>>> rightsubnet=192.168.1.0/24 >> >>>>>> rightauth=psk >> >>>>>> dpdaction=none >> >>>>>> auto=add >> >>>>>> mobike=no >> >>>>>> /etc/ipsec.secrets >> >>>>>> A.A.A.A : PSK "XXXXXX" >> >>>>>> B.B.B.B : PSK "XXXXXX" >> >>>>>> >> >>>>>> Output: >> >>>>>> root@SomeWRT:~# ipsec up somename >> >>>>>> no files found matching '/etc/strongswan.d/*.conf' >> >>>>>> initiating IKE_SA somename[1] to A.A.A.A >> >>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> >>>>>> N(HASH_ALG) ] >> >>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes) >> >>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes) >> >>>>>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ] >> >>>>>> local host is behind NAT, sending keep alives >> >>>>>> remote host is behind NAT >> >>>>>> authentication of 'B.B.B.B' (myself) with pre-shared key >> >>>>>> establishing CHILD_SA somename >> >>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi >> >>>>>> TSr N(EAP_ONLY) ] >> >>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes) >> >>>>>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes) >> >>>>>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ] >> >>>>>> IDr payload missing >> >>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] >> >>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes) >> >>>>>> establishing connection 'somename' failed >> >>>>>> >> >>>>>> _______________________________________________ >> >>>>>> Users mailing list >> >>>>>> [email protected] >> >>>>>> https://lists.strongswan.org/mailman/listinfo/users >> >>> >> >>>> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJVrQJPAAoJEDg5KY9j7GZY5CsP/2NQC3jyhEYpPy8oGTR7zXcR > vljMdPbosggnBaOvV0SIRrgboVjSRKI9ZxwGbIjEhYHh0iB2ZI9fT+63P8xLuSp6 > xfPCy3SZTzR4Q37Uz0mU8RUEcA/71DHaQaZIb7B7lXp7ktwI6Cbfe8R7ZIAwd6Rt > hOKn4CMBD4j0gQb7ir8kPWGp+YGHPHEJGa9JqoJ++alpUbd2pAX0A7txlK90NXg2 > P/g+tTlMwtND0KKGi+b/jyhS086TvnftCXgEJoieCfhpFtI81Qy0284s1svdz37+ > q3/L8SNJRKXM42iGd2+C/u9JPilM1M7lZlwqq1+m5E6lpwitrLbUAfg7ELyP4f8S > tDnq3bD4nolpGiJhSbmUwLTL9ik/TVVT6yqJHRtKOuXXr9JquJXUjw7mqgMiQAXe > hbeosX2BLoby+CvbFTO6gP9aGKLQyeWvewx9QNtjTUDLvo7ivGFFhs28SBQ9+MCs > KkuMVYl8Vv3BO+NRxdTHZfu2VVgLuTfg3FMiggwNjFk/qliwRUFnbt+1Or5nZ43V > SX5cJkukf4j6usSUnRM8jZXRBYTQO8TDhAHa+AbqgEu5AfEbHYu1X1Hdkm65ufOs > uRb3L+gNe7n6YDc5fNc6Ymz6kN29GSrUjWxQnnbbAh8jd1y4lJBoP+xr3gAafFbE > 12O4Xnd1Gi1UwA/DG28m > =Om+P > -----END PGP SIGNATURE----- > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
