Hello! I add on OpenWRT:
iptables -I FORWARD --src 192.168.1.0/24 -j ACCEPT iptables -I FORWARD --dst 192.168.1.0/24 -j ACCEPT iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT iptables -t nat -I POSTROUTING -p ipcomp -j ACCEPT iptables -t nat -I POSTROUTING -p ah -j ACCEPT iptables -t nat -I POSTROUTING -p esp -j ACCEPT These commands enough. Now everything works well. Thanks for pointing a problem. 2015-07-21 11:47 GMT+02:00 Noel Kuntze <[email protected]>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello Tomek, > > There is more information in the articles. > > 1) IPsec on modern Linux is policy based, not route based. StrongSwan takes > care of all the > needed policies and routes that are needed to make it work. > 2) Packets that don't match the negotiated policies are not transported over > the tunnel. > Your OpenWRT box sends traffic to 192.168.1.0/24 from its address on the > WAN interface, > which does not work, because it's not covered by a policy. The same > probably happens for > the TP link device. > 3) local NAT breaks IPsec, because NAT happens before the policy lookup. You > need to except > with a matching policy from NAT. > 4) The OpenWRT firewall structure is inherently incompatible with the > interfaceless nature of IPsec > on Linux. You should redesign the firewall rules manually and stop using > Luci. > > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 21.07.2015 um 10:30 schrieb [email protected]: >> Hello! >> >> I have read both articles and it did not explain anything to me. I have: >> net.ipv4.ip_forward=1 in sysctl.conf >> leftfirewall=yes, rightsubnet in ipsec.conf >> >> On TP-Link I see in route table: >> destination: 192.168.2.0/24, gateway: N/A, flags: S, logical >> interface: eth1, physical interface: wan1, metric: 0 >> >> On OpenWRT I haven't routes for 192.168.1.0/24 >> >> I can't ping 192.168.2.1 from A.A.A.A and I can't ping 192.168.1.1 from >> B.B.B.B >> >> 2015-07-20 16:14 GMT+02:00 Noel Kuntze <[email protected]>: >>> >> Hello Tomek, >> >> Read the introduction to strongswan and the article >> about forwarding and split tunneling on the wiki. >> >> Mit freundlichen Grüßen/Kind Regards, >> Noel Kuntze >> >> GPG Key ID: 0x63EC6658 >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> Am 20.07.2015 um 16:13 schrieb [email protected]: >> >>> Hello! >> >>> >> >>> I have a lot of progress. IPsec connection set up properly. >> >>> Unfortunately ping does not work between networks. In OpenVPN I had >> >>> tunnels in interfaces with their own addresses. I set up routing >> >>> between them. Now I don't see the ends of the IPsec tunnel in >> >>> interfaces and don't know how to set routing. >> >>> >> >>> root@SomeWRT:~# ipsec statusall >> >>> no files found matching '/etc/strongswan.d/*.conf' >> >>> Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.49, mips): >> >>> uptime: 11 seconds, since Jul 20 15:58:34 2015 >> >>> malloc: sbrk 122880, mmap 0, used 116464, free 6416 >> >>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> >>> scheduled: 1 >> >>> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 >> >>> revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc >> >>> hmac attr kernel-netlink resolve socket-default stroke updown >> >>> xauth-generic >> >>> Listening IP addresses: >> >>> 192.168.2.1 >> >>> Connections: >> >>> somename: B.B.B.B...A.A.A.A IKEv1 >> >>> somename: local: [B.B.B.B] uses pre-shared key authentication >> >>> somename: remote: [A.A.A.A] uses pre-shared key authentication >> >>> somename: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL >> >>> Security Associations (1 up, 0 connecting): >> >>> somename[2]: ESTABLISHED 10 seconds ago, >> >>> B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A] >> >>> somename[2]: IKEv1 SPIs: xxxxxxxxxxxxxxxx_i xxxxxxxxxxxxxxxx_r*, >> >>> rekeying disabled >> >>> somename[2]: IKE proposal: >> >>> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 >> >>> somename{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: xxxxxxxx_i xxxxxxxx_o >> >>> somename{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying >> >>> disabled >> >>> somename{1}: 192.168.2.0/24 === 192.168.1.0/24 >> >>> >> >>> 2015-07-20 14:19 GMT+02:00 Noel Kuntze <[email protected]>: >> >>> Hello Tomek, >> >>> >> >>> I can tell from "Exchange Mode: Main" that it uses IKEv1. >> >>> Append an @ to the IDs on the strongSwan side >> >>> to force charon to send the ID as type FQDN, >> >>> which the other side expects (you set ID type to FQDN). >> >>> Use AES-128 instead of 3DES. You should also >> >>> use SHA1, not MD5. Furthermore, you enabled PFS in >> >>> the configuration on the TP link, but not in strongSwan. >> >>> Append the correct dh group to your ESP cipher settings. >> >>> >> >>> Look at the logs in the webinterface to find out what the TP link >> >>> side doesn't like. >> >>> >> >>> Mit freundlichen Grüßen/Regards, >> >>> Noel Kuntze >> >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >>> >> >>> Am 20.07.2015 um 13:58 schrieb [email protected]: >> >>>>>> Hello! >> >>>>>> >> >>>>>> After the change from IKEv1 to IKEv2 I have errors as shown below. In >> >>>>>> the settings TP-Link I don't see the possibility to change IKEv1/v2. I >> >>>>>> don't know what is even set in TP-Link. A sample panel is visible on >> >>>>>> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm. >> >>>>>> What is best to change 3DES? >> >>>>>> >> >>>>>> root@SomeWRT:~# ipsec up somename >> >>>>>> no files found matching '/etc/strongswan.d/*.conf' >> >>>>>> initiating Main Mode IKE_SA somename[1] to A.A.A.A >> >>>>>> generating ID_PROT request 0 [ SA V V V V ] >> >>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes) >> >>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes) >> >>>>>> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ] >> >>>>>> received NO_PROPOSAL_CHOSEN error notify >> >>>>>> establishing connection 'somename' failed >> >>>>>> >> >>>>>> 2015-07-19 22:32 GMT+02:00 Noel Kuntze <[email protected]>: >> >>>>>>> >> >>>>>> Hello Tomek, >> >>>>>> >> >>>>>> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It >> >>>>>> is very slow. >> >>>>>> >> >>>>>> Mit freundlichen Grüßen/Kind Regards, >> >>>>>> Noel Kuntze >> >>>>>> >> >>>>>> GPG Key ID: 0x63EC6658 >> >>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >>>>>> >> >>>>>> Am 19.07.2015 um 13:34 schrieb tomek_byd: >> >>>>>>>>> I don't know how to write the correct config file for the >> >>>>>>>>> connection. My config is a conglomeration of many examples from >> >>>>>>>>> the Internet. So far I havn't had contact with IPsec. I'm under >> >>>>>>>>> the control of TL-ER6120 and OpenWRT so I can make changes on both >> >>>>>>>>> devices. I see the error "IDr payload missing" but parameter >> >>>>>>>>> "leftid" is set in the config file. >> >>>>>>>>> >> >>>>>>>>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET >> >>>>>>>>> <-> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B >> >>>>>>>>> (192.168.2.0/24) >> >>>>>>>>> >> >>>>>>>>> TL-ER6120 configuration: >> >>>>>>>>> IKE Proposal: MD5, 3DES, DH2 >> >>>>>>>>> IKE Policy: >> >>>>>>>>> Exchange Mode: main, >> >>>>>>>>> Local ID Type: FQDN, >> >>>>>>>>> Local ID: A.A.A.A >> >>>>>>>>> Remote ID Type: FQDN >> >>>>>>>>> Remote ID: B.B.B.B >> >>>>>>>>> Pre-shared Key: XXXXXX >> >>>>>>>>> SA Lifetime: 28800 >> >>>>>>>>> DPD: Disable >> >>>>>>>>> IPsec Proposal: ESP, MD5, 3DES >> >>>>>>>>> IPsec Policy: >> >>>>>>>>> Mode: LAN-to-LAN >> >>>>>>>>> Local Subnet: 192.168.1.0/24 >> >>>>>>>>> Remote Subnet: 192.168.2.0/24 >> >>>>>>>>> WAN: WAN1 >> >>>>>>>>> Remote Gateway: B.B.B.B >> >>>>>>>>> Policy Mode: IKE >> >>>>>>>>> PFS: DH2 >> >>>>>>>>> SA Lifetime: 28800 >> >>>>>>>>> >> >>>>>>>>> OpenWRT configuration: >> >>>>>>>>> /etc/ipsec.conf: >> >>>>>>>>> config setup >> >>>>>>>>> # strictcrlpolicy = no >> >>>>>>>>> # uniqueids = no >> >>>>>>>>> conn somename >> >>>>>>>>> ikelifetime=60m >> >>>>>>>>> keylife=20m >> >>>>>>>>> rekeymargin=3m >> >>>>>>>>> keyingtries=1 >> >>>>>>>>> keyexchange=ikev2 >> >>>>>>>>> type=tunnel >> >>>>>>>>> authby=secret >> >>>>>>>>> ike=3des-md5-modp1024! >> >>>>>>>>> esp=3des-md5! >> >>>>>>>>> rekey=no >> >>>>>>>>> left=B.B.B.B >> >>>>>>>>> leftid=B.B.B.B >> >>>>>>>>> leftsubnet=192.168.2.0/24 >> >>>>>>>>> leftauth=psk >> >>>>>>>>> right=A.A.A.A >> >>>>>>>>> rightid=A.A.A.A >> >>>>>>>>> rightsubnet=192.168.1.0/24 >> >>>>>>>>> rightauth=psk >> >>>>>>>>> dpdaction=none >> >>>>>>>>> auto=add >> >>>>>>>>> mobike=no >> >>>>>>>>> /etc/ipsec.secrets >> >>>>>>>>> A.A.A.A : PSK "XXXXXX" >> >>>>>>>>> B.B.B.B : PSK "XXXXXX" >> >>>>>>>>> >> >>>>>>>>> Output: >> >>>>>>>>> root@SomeWRT:~# ipsec up somename >> >>>>>>>>> no files found matching '/etc/strongswan.d/*.conf' >> >>>>>>>>> initiating IKE_SA somename[1] to A.A.A.A >> >>>>>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> >>>>>>>>> N(NATD_D_IP) N(HASH_ALG) ] >> >>>>>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes) >> >>>>>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes) >> >>>>>>>>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No >> >>>>>>>>> ] >> >>>>>>>>> local host is behind NAT, sending keep alives >> >>>>>>>>> remote host is behind NAT >> >>>>>>>>> authentication of 'B.B.B.B' (myself) with pre-shared key >> >>>>>>>>> establishing CHILD_SA somename >> >>>>>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA >> >>>>>>>>> TSi TSr N(EAP_ONLY) ] >> >>>>>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes) >> >>>>>>>>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes) >> >>>>>>>>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ] >> >>>>>>>>> IDr payload missing >> >>>>>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] >> >>>>>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes) >> >>>>>>>>> establishing connection 'somename' failed >> >>>>>>>>> >> >>>>>>>>> _______________________________________________ >> >>>>>>>>> Users mailing list >> >>>>>>>>> [email protected] >> >>>>>>>>> https://lists.strongswan.org/mailman/listinfo/users >> >>>>>> >> >>>>>>> >>> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJVrhUSAAoJEDg5KY9j7GZYXQUP/2FA1NmlzB5qn7wmQWXEhw6K > RQtBCXWAAJvXssSzY9Va7IPgOA/Sdr2Lfip21CCKAWmjWJV7BspIvrre0c6t7wDY > cHTDpy0utyaCVvh9HAzHlMLxLHPhwNV+SisbN2y9AsNj+YumDPuhB0qh+PJFMhs7 > aSTfgTWG3WUKxVtHA7rlREkMJomTdCjNp1bH3ZCtXdwGDsDeClCtczRqd9sQKVUI > ECyA8vOyWNgl2dHHXAdUwk+GenSv8EtYN+0Lspmsh3drI2l2s6MtgxyAfMFsKlnX > EOzrGS0h6ov5IJ9BCo4/Pqri085w3RBm7Fw+fhx+4BAPEs3SSdpCKlkVZkK7ATeF > IlAusFAzYWsZePGFjMCkbgMkydst9iaulUyk+T07ljjMDp3678z90FfUzSVvW1Qz > XtvVzl7jP0Ht8SB8CVmZo84Tn8V1t7nc8SQYHQSfOuHqD9yN6rhkx6wAk3rka+Nf > 32uVaBmZdkXuIxu+dPiggvAPP9KaLBZypjMxR5OpGJ+h1SWqyLemP4Ls9wx30w54 > JWSJiJNN9WhzpBCjyqhZfawaDJ3r5h32mEw9ayN1UPJJLjk1Q3kAV/We1rKPBbV0 > fmwK3LfHIk0ZdvCsGR6T0kuipvrlxZuXq6Lub7uY27s9Ufc9Ih5mEjtbjDBzDAHD > 8sY4lUyYV7e3tnZSu+aM > =uw3X > -----END PGP SIGNATURE----- > > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
