Well I've been messing about for a while and found it hard going to get the right information to form an ipsec setup with openswan.  I use this config on other UTMs and have been looking for a while at being able to make VPN support on an 'open' style router, I can't find that anywhere else for current hardware.  There are a lot of truly crappy VPN appliances out there in the $300-$1000 space, and its pretty exciting to find something with such functionality for around the $50-100 mark with a decent router purchase.  Now, one of the biggest issues I had was getting openswan to work properly, and that pretty much relies on the right kernel modules being loaded.  If they aren't, you'll get a hell of a lot of issues, it was picking up different kernel support sometimes each times it loaded and was not doing it right.

Of course first I installed openswan then for me, I found I had to install ipsec-tools to get the kernel modules that provide encryption support (kmod-crypto-xxx, crypro kernel module dependencies), but then remove it again otherwise the kernel would try to use NETKEY and this was just pretty much broken, it would complain about missing files etc.  KLIPS is the was I ended up getting it working (NOT mast!) This kind of thing happened with 3 different openwrt versions I tried.  Right now, am on bleeding edge from the trunk which looks good, final should be great.

Here's a client roadwarrior setup;

protostack=klips

conn paneltest
left=%defaultroute
leftid=n@testnew
leftsourceip=%LANIP/ROUTERLEFTIP%
leftsubnet=172.16.6.0/24
leftnexthop=%defaultroute
right=$$YOURRIGHTIPADDRESS$$
#        rightid=n@testnew
rightsubnet=172.16.13.0/24
#        rightsourceip=$$OPTIONALIPADDRESS$$
ike = "AES128-SHA-MODP1024"
esp = "AES128-SHA1"
aggrmode = yes
auto=start
authby=secret
keyexchange=ike
auth=esp
# x-l2tpd=no
dpddelay=10
dpdtimeout=22
dpdaction=restart
compress=yes
ikelifetime=120m
keylife=60m

With the key set in ipsec.secrets and the other side of the router set up right (I use compression), it works a treat including dead peer detection.  All I had to do for iptables was create a new 'VPN' network zone and allow traffic to/from the LAN zone.  I have one link with dynamic ip on both sides but using the right/leftid's also works fine.  I had three links to different utm's overnight and all were stable.  A 1.3mbit upstream (from DSL with annex-m) from the unit compressed was using about 10-20% of cpu time.  Excellent. 

Advice for broken config is watch the system and whack status for both ends of the link if possible, ensure the phases have the correct settings.  If you don't watch the errors you won't see what you've done wrong!

I'm using a TP-LINK TL-WR1043ND, its unfortunate more people aren't using openwrt for VPN's more as a UTM replacement - the extra LED's are simply reassigned for use as VPN status lights, and that is one of the things that has been on the top of my list as a requirement for a VPN appliance from the market.  All we need now is an interface for ipsec.conf and/or even ipsec status in luci and (maybe as a bonus) pptp config/support? I don't know about anyone else, but I'd certainly be willing to donate a modest amount towards the project or someone who could/would do this.  I can see the new interface (from bleeding edge) is pretty functionally advanced compared to dd-wrt for wireless but more usable IPSEC VPN support means it can be readily moved into enterprise router space, and I think that means lifting the profile of the distribution significantly.

For those of you who are new to manual ipsec control (I certainly am/was), here's a few commands I found useful;

ipsec eroute
ipsec setup restart
/etc/init.d/ipsec enable (for boot start)

ipsec auto --up paneltest
ipsec auto --down paneltest

ipsec whack --status
ipsec whack --name paneltest --debug-raw

Anyhow, I'm not sure if all these are required but this is what I have running on my box;
base-files busybox crda ddns-scripts dnsmasq dropbear firewall glib1 hotplug2 ip iptables iptables-mod-conntrack iptables-mod-ipopt iptables-mod-ipsec iptables-mod-nat iw kernel kmod-ath kmod-ath9k kmod-button-hotplug kmod-cfg80211 kmod-crc-ccitt kmod-crypto-aes kmod-crypto-arc4 kmod-crypto-cbc kmod-crypto-core kmod-crypto-deflate kmod-crypto-des kmod-crypto-hmac kmod-crypto-md5 kmod-crypto-sha1 kmod-input-core kmod-input-gpio-buttons kmod-input-polldev kmod-ipt-conntrack kmod-ipt-core kmod-ipt-ipopt kmod-ipt-ipsec kmod-ipt-nat kmod-ipt-nathelper kmod-iptunnel4 kmod-ipv6 kmod-leds-gpio kmod-ledtrig-usbdev kmod-mac80211 kmod-nls-base kmod-openswan kmod-ppp kmod-pppoe kmod-usb-core kmod-usb-ohci kmod-usb2 libc libgcc libgmp libiptc libiwinfo liblua libncurses libnl-tiny libopenssl libpcap libpthread libuci libuci-lua libxtables lua luci luci-app-ddns luci-app-firewall luci-app-initmgr luci-i18n-english luci-lib-core luci-lib-ipkg luci-lib-lmo luci-lib-nixio luci-lib-sys luci-lib-web luci-mod-admin-core luci-mod-admin-full luci-sgi-cgi luci-theme-base luci-theme-openwrt mc mtd openswan opkg ppp ppp-mod-pppoe swconfig tcpdump uci udevtrigger uhttpd wireless-tools wpad-mini zlib

I still have over 1mb free so plenty to play with, and mc certainly isn't really necessary   I Hope this helps someone who is looking to do similar to what I am doing, very exciting.

edit: updated to add LEFTSOURCEIP - without this it would tunnel fine but, with ipsec on the wan interface I was unable to get to the other side of the VPN when my traffic source was directly from the router sue to the src value on 'ip route' for that route not being set!

(Last edited by trimmings on 23 Mar 2011, 06:11)

thank you!  thank you! thank you!!!!

that bit about KLIPS not MAST was a godsend.   (MAST also says KLIPSng sometimes in the logs)

just moved from my old White Russian based linksys wrt54GL to backfire (10.03.1 rc5) on a buffalo g300nh.

and on the new router traffic would get from the server to my openwrt and out to the LAN.  but any traffic from the LAN would get to openwrt and then not onto the ipsec0 interface and thus not through the tunnel.

been banging my head for a while now (probably about 3-4 hours over the past two nights) trying to get it going.  nothing in the Openswan docs on it, and not much in the openwrt wiki.  Finally found this post and bam, sure enough in my logs it sees a KLIPS kernel module but then tries to do KLIPSng/MAST for the tie-ins.  which didn't work too well. 

just changed protostack=klips and all working.
and nice  pointer on 'ipsec eroute'  had none before, now show one.  yay!

I also found this post which seems to back your post saying to specify and not let it autodetect:
http://lists.openswan.org/pipermail/use … 20279.html

I could honestly kiss you....

i've been trying to get openswan on the latest backfire going to a juniper box (and i thought i was well-versed in ipsec) for about 2 weeks... was at the screaming stage, but klips/leftsourceip solved my problems.

I think i've gone thru literally gigs of debug=all output trying to sort that out, everytime, the link comes up and both ends but no traffic gets thru...

Such a useful little bit of information that config.

Thanks so very much for the post!

I've found StrongSwan to be extremely well documented. It seems that every time I need to get an IPsec VPN up, I install OpenSwan and dick around for a few days whilst banging my head against the wall. Then I install StrongSwan and it's working almost immediately... with native NETKEY and none of this KLIPS nonsense.

(Last edited by aport on 13 Sep 2011, 19:17)

I may have to try strongswan at some point.  Is strongswan UCI and luci tied in?

openswan has been pretty easy for me.  only the auto-detect in the 2.6 kernel caused an issue with my upgrade and setting that solved things quite quickly.

FYI openswan does netkey as well.  I personally like klips, none of the marking ip transformation nonsense to get firewalls working.  a bit of a pain to get iptables protections using NETKEY.  my server end of the connction (from backfire on a buffalo router) is a CentOS5 box running openSwan with NETKEY.  from release notes looks like latest openswan and kernel packages support KLIPS now so I will probably try going that way so I can fix up my iptables rules again.

Im reasonably familiar with strongswan... in this particular case its not an option for me.. though, i've not used either before with something like openwrt myself.