Hi Everyone,
I am scratching my head for weeks now on how to get an IPSec Routed VPN
site-to-site to work between a pfSense firewall and OpenWRT.
The setup is currently in a LAB environment to avoid issues with my production
networks. The config is as follows:
### pfSense ###
WAN : 192.168.45.10
IPsec subnet : 10.10.10.1/30
###############
### Arch Linux ###
WAN : 192.168.45.30
IPsec subnet : 10.10.10.2/30
#################
Pings from the pfSense are reaching the Linux system and are received with no
errors :
ip_vti1: ip/ip remote 192.168.45.10 local 192.168.45.30 ttl inherit nopmtudisc
key 42
RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
47185 3963540 0 0 0 0
TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
0 0 98923 0 98923 0
Pings from the Linux system are being seem as errors NoRoute by the tunnel.
I have deleted all the rules added into iptables that marks outgoing packets in
the hopes of it getting routed into the VTI interface and get marked and
therefore tunneled to the pfSense.
Mangle Chain
-P PREROUTING ACCEPT -c 1002 86651
-P INPUT ACCEPT -c 920 82059
-P FORWARD ACCEPT -c 0 0
-P OUTPUT ACCEPT -c 847 101821
-P POSTROUTING ACCEPT -c 847 101821
-A PREROUTING -s 192.168.45.10/32 -d 192.168.45.30/32 -p esp -m esp --espspi
3448029224 -c 2871 401940 -j MARK --set-xmark 0x2a/0xffffffff
-A PREROUTING -d 10.10.10.0/30 -c 143719 14738388 -j NFLOG --nflog-group 5
-A INPUT -c 337318 30692985 -j NFLOG --nflog-group 6
-A OUTPUT -c 368660 48238051 -j NFLOG --nflog-group 7
-A POSTROUTING -c 368923 48266946 -j NFLOG --nflog-group 8
From my understanding the routes are correct as seen below :
[root@arch-linux ~]# ip route get 10.10.10.1
10.10.10.1 dev ip_vti1 src 10.10.10.2 uid 0
cache
[root@arch-linux ~]# ip route
default via 192.168.45.1 dev ens18
10.10.10.0/30 dev ip_vti1 scope link
192.168.45.0/24 dev ens18 proto kernel scope link src 192.168.45.30
Table 220 has been added but is empty.
[root@arch-linux ~]# ip rule
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
My Linux IPSec /etc/swanctl/swanctl.conf 👇
[root@arch-linux ~]# cat /etc/swanctl/swanctl.conf
connections {
ipseclab {
fragmentation = yes
unique = replace
version = 2
proposals = aes256-sha256-modp2048
dpd_delay = 10s
dpd_timeout = 60s
rekey_time = 25920s
reauth_time = 0s
over_time = 2880s
rand_time = 2880s
encap = no
mobike = no
local_addrs = 192.168.45.30
remote_addrs = 192.168.45.10
local {
id = fqdn:ipsec-lab-openwrt
auth = psk
}
remote {
id = fqdn:ipsec-lab-pfsense
auth = psk
}
children {
con1 {
close_action = start
dpd_action = restart
policies = no
life_time = 3600s
rekey_time = 3240s
rand_time = 360s
start_action = start
remote_ts = 0.0.0.0/0
local_ts = 10.10.10.2/30
esp_proposals = aes256gcm128-modp2048
mark_in = 42
mark_out = 42
updown = /root/02.ipsec-log.sh
}
}
}
}
secrets {
ike-0 {
secret = e559c752478188f3fca07ab3e5fcd1ff02f5c55574b576920c67c443
id-0 = %any
id-1 = fqdn:ipsec-lab-pfsense
}
}
[root@arch-linux ~]# cat /etc/strongswan.conf
starter {
load_warning = no
}
charon {
install_routes = no
install_virtual_ip = no # not in pfSense side. Added from internet
tutorials.
load_modular = yes
# File Logging
filelog {
charon {
# path to the log file, specify this as section name in versions
prior to 5.7.0
path = /root/charon.log
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
#default = -1
app = 4
asn = 4
cfg = 4
chd = 4
dmn = 4
enc = 4
esp = 4
ike = 4 # set to 2 to troubleshoot
imc = 4
imv = 4
job = 4
knl = 4 # set to 2 to troubleshoot
lib = 4
mgr = 4
net = 4
pts = 4
tls = 4
tnc = 4
# flush each line to disk
flush_line = yes
}
}
syslog {
identifier = charon
# log everything under daemon since it ends up in the same place
regardless with our syslog.conf
daemon {
ike_name = yes
app = -1
asn = -1
cfg = -1
chd = -1
dmn = -1
enc = 4
esp = 4
ike = -1 # set to 2 to troubleshoot
imc = -1
imv = -1
job = -1
knl = -1 # set to 2 to troubleshoot
lib = 4
mgr = -1
net = -1
pts = -1
tls = -1
tnc = -1
}
# disable logging under auth so logs aren't duplicated
auth {
default = -1 # set to 2 for troubleshooting; -1 to
supress
ike = -1
}
}
plugins {
include strongswan.d/charon/*.conf
}
}
And finally, the status of my IPSec daemon :
[root@arch-linux ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.3, Linux 5.13.12-arch1-1, x86_64):
uptime: 66 minutes, since Aug 30 15:52:11 2021
malloc: sbrk 2965504, mmap 0, used 1061360, free 1904144
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled:
3
loaded plugins: charon ldap pkcs11 aes des rc2 sha2 sha3 sha1 md5 mgf1 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru
drbg newhope bliss curl sqlite attr kernel-netlink resolve socket-default bypass
-lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka
eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc
eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap
xauth-pam xauth-noauth dhcp radattr unity counters
Listening IP addresses:
192.168.45.30
10.10.10.2
Connections:
ipseclab: 192.168.45.30...192.168.45.10 IKEv2, dpddelay=10s
ipseclab: local: [ipsec-lab-openwrt] uses pre-shared key authentication
ipseclab: remote: [ipsec-lab-pfsense] uses pre-shared key authentication
con1: child: 10.10.10.0/30 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Shunted Connections:
Bypass LAN 10.10.10.0/30: 10.10.10.0/30 === 10.10.10.0/30 PASS
Bypass LAN 192.168.45.0/24: 192.168.45.0/24 === 192.168.45.0/24 PASS
Bypass LAN ::1/128: ::1/128 === ::1/128 PASS
Bypass LAN fe80::/64: fe80::/64 === fe80::/64 PASS
Security Associations (1 up, 0 connecting):
ipseclab[2]: ESTABLISHED 66 minutes ago,
192.168.45.30[ipsec-lab-openwrt]...192.168.45.10[ipsec-lab-pfsense]
ipseclab[2]: IKEv2 SPIs: e38541185347872a_i* 68249287d7529bd9_r, rekeying in
5 hours
ipseclab[2]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
con1{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c3cf4b91_i c742e267_o
con1{2}: AES_GCM_16_256/MODP_2048, 86268 bytes_i, 0 bytes_o, rekeying
in 30 minutes
con1{2}: 10.10.10.0/30 === 0.0.0.0/0
I have run a tcpdump capture and I can see the ping packet encapsulated but its
destination that apparently was generated by IPSec seems incorrect.
5 0.000002 10.10.10.2 >> 10.10.10.2 ICMP 144 Destination unreachable (Host
unreachable)
Frame 15: 144 bytes on wire (1152 bits), 144 bytes captured (1152 bits)
Linux Netfilter NFLOG
Family: IPv4 (2)
Version: 0
Resource id: 7
TLV Type: NFULA_PACKET_HDR (1), Length: 8
Length: 8
.000 0000 0000 0001 = Type: NFULA_PACKET_HDR (1)
HW protocol: IPv4 (0x0800)
Netfilter hook: Local out (3)
TLV Type: NFULA_PREFIX (10), Length: 5
Length: 5
.000 0000 0000 1010 = Type: NFULA_PREFIX (10)
Prefix:
TLV Type: NFULA_IFINDEX_OUTDEV (5), Length: 8
Length: 8
.000 0000 0000 0101 = Type: NFULA_IFINDEX_OUTDEV (5)
IFINDEX_OUTDEV: 1
TLV Type: NFULA_PAYLOAD (9), Length: 116
Length: 116
.000 0000 0000 1001 = Type: NFULA_PAYLOAD (9)
Internet Protocol Version 4, Src: 10.10.10.2, Dst: 10.10.10.2
Internet Control Message Protocol
Type: 3 (Destination unreachable)
Code: 1 (Host unreachable)
Checksum: 0xfcfe [correct]
[Checksum Status: Good]
Unused: 00000000
Internet Protocol Version 4, Src: 10.10.10.2, Dst: 10.10.10.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 84
Identification: 0x03e4 (996)
Flags: 0x40, Don't fragment
Fragment Offset: 0
Time to Live: 64
Protocol: ICMP (1)
Header Checksum: 0x0eaf [validation disabled]
[Header checksum status: Unverified]
Source Address: 10.10.10.2
Destination Address: 10.10.10.1
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x90b7 [unverified] [in ICMP error packet]
[Checksum Status: Unverified]
Identifier (BE): 45 (0x002d)
Identifier (LE): 11520 (0x2d00)
Sequence Number (BE): 494 (0x01ee)
Sequence Number (LE): 60929 (0xee01)
Timestamp from icmp data: Aug 30, 2021 14:51:39.000000000 BST
[Timestamp from icmp data (relative): 0.801353000 seconds]
Data (48 bytes)
Data:
0a17040000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b…
[Length: 48]
Any help would be appreciated extremely appreciated.
Many Thanks !!
