OpenWrt Forum Archive

Topic: IPsec Road Warrior Configuration & Attitude Adjustment Beta & iPhone

The content of this topic has been archived on 13 Jul 2017. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Dear all,

I am quite new to OpenWrt (used DD-Wrt a lot during the last couple of years, but finally want to get rid of it) and am very impressed of the project.

At the moment I am trying to set up a IPsec Road Warrior Configuration. Basically I would like to configure OpenWrt in a way, that I can log in to my private network from outside my LAN via IPsec and my iPhone.

What I did was:
- Following Wiki IPsec Basics
- Following Wiki IPsec Firewall
- Following Wiki IPsec Road Warrior Configuration
- And trying Wiki IPsec With Certificates
- Gooooooooooogle * 1000000000
- OpenWrt Forum Search
- :-(

I am now struggling with it for three days and am about to give up :-(   I really hope someone can help. Hardware is TP-Link TL-WDR4300, Build is openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-sysupgrade_attitude-adjustment_12-09-beta.

First of all the Wiki articles seem to be buggy (?) or not adaptet for Attitute Adjustment:
- The "ps" command has no "-ef" switch on my busybox, so I simply removed "-ef" from /etc/init.d/racoon
- There was also a problem with "blowfish" encryption. This is statet anywhere (sorry, can't remember where), but my Kernel was not able to run that. So I simply removed that option. Finally racoon started without any problems (just startet, but no connection possible)
- Then I followed the Firewall article but that broke my network connection. It says that you don't need to set up any Zone forwardings, but without you can't reach anything. Firewall does not seem to be an issue now, I can see that my iPhone is able to connect from outside. Possible, that my Firewall configuration is totally insecure atm, but since I'm just testing internally that is no real concern up to now (would like to get IPsec working first before thinking about that).

Then I tried to configure racoon (for almost 3 days) but didn't get my iPhone connecting to it, tried almost everything :-(
- When setting "exchange_mode" to "aggressive" I almost always get "ERROR: exchange Identity Protection not allowed in any applicable rmconf."
- When setting "exchange_mode" to "main" it seems to work better, but connection fails with "ERROR: mode config 6 from 192.168.1.109[500], but we have no ISAKMP-SA."
- Then I also played around with IPsec Certificates, this failed with "unknown certtype".
- Toggled almost every flag I found for racoon, no success

I could cry :-(

Please, I would be thankfull for any advice!!

Hmm, noone with an idea? :-(

Struggled with it again today without success. Since I do not seem to be able to get racoon running properly I today tried strongswan. Read a few things about it and some articles mentioned that it is easier to configure and capable of serving for the iPhone.

What i did (again on Attitute Adjustment Beta):
- opkg install strongswan
- /etc/init.d/strongswan ==> does not exist
- /etc/inti.d/ipsec ==> does not exist

Anyway there is an article here in the forum, 2 users had the same problem of a non-existant init script. A brief reply of another user was to look at the strongswan readme (actually there is nothing about that in the readme as far as I have seen it). Searched a lot and found that it seems that the strongswan team decided not to include init scripts anymore. Bump.
Well, what is even worst, there does not seem to be a binary file for strongswan when i install it with opkg, so even with an init script nothing would run. That is the output of "opkg files strongswan":
Package strongswan (5.0.0-1) is installed on root and has the following files:
/usr/lib/ipsec/libhydra.so.0
/usr/lib/ipsec/libstrongswan.so.0
/usr/lib/ipsec/libstrongswan.so.0.0.0
/etc/ipsec.secrets
/etc/strongswan.conf
/usr/lib/ipsec/libhydra.so.0.0.0
/lib/upgrade/keep.d/strongswan

So how can I run it!? Tried to search the binary manually, did not find anything :-(

PLEASE, any advice (ether on racoon = most prefered, or strongswan) would be GREAT!

Will google around another few hours and then propably try openswan. Up to now IPsec + Road Warrior Setup + iPhone seems to be a no-go on OpenWrt ..... or I seem to be to stupid for OpenWrt smile

Regarding strongswan installation: Yes, I have been to stupid :-)

Just in case anyone else ever struggles with it:
- You should not install "strongswan" but "strongswan-default", so "opkg update && opkg install strongswan-default"
- When installing it complained about "check_data_file_clashes: Package strongswan-utils wants to install file /usr/lib/ipsec/_copyright"  "But that file is already provided by package  * strongswan-mod-stroke"
- I simply deleted /usr/lib/ipsec/_copyright and re-run "opkg install strongswan-default"

There is still no init script in /etc/init.d but the deamon seems to be existing. Thats a huge progress.

Does anyone of you have prepared init script for it!?

Managed to install and configure strongswan, the iPhone is also able to log-in. Now I am struggling with firewall settings, but that should not be a killer issue ;-)

Will post some kind of how-to when I am done, hopefully this can help anyone else trying to set up such a service.

Yeah, it would help me, i was also struggling with the firewall. Trade this for  a week.
I Hope you have more luck.

(Last edited by rossini on 24 Sep 2012, 05:24)

I think I found the solution. Besides opening UDP ports 500 and 4500 you have to add the following iptables rule:
iptables -A input_wan -m policy --strict --dir in --pol ipsec --proto esp -j ACCEPT

It's now working in my case!!! Hurray!!! The only worrying thing is that I have no real clue what this rule means, have to search a bit to sleep well with my firwall setting.

Would anyone be so nice and explain the rule?

@rossini: Also working for you?

Next update:
I think the mentioned iptables rule sould work, and it indeed does sometimes, but it does not work stable. When I look at LuCI in the firewall stats, I see that the rule is only triggered sometimes :-(

wjwj wrote:

Next update:
I think the mentioned iptables rule sould work, and it indeed does sometimes, but it does not work stable. When I look at LuCI in the firewall stats, I see that the rule is only triggered sometimes :-(

Seems that you have to set
forceencaps=yes
in ipsec.conf within the connection.

Still not able to verify that it runs stable ... but looks not too bad.

Can't verify it now, but i was able to get a stable vpn connnection, but i was Not able to connect to the LAN devices. Only to the VPN Gateway itself. Can you Post your Network config + strongswan config so we can figure this Out together?
I was Using this Description http://wiki.strongswan.org/issues/218

(Last edited by rossini on 24 Sep 2012, 22:52)

Well, I now also wrote an init-script and it seems to work .... well, also thought that several times before wink

I followed this GREAT description, especially to generate valid certificates for iOS:
strongSwan iOS (Apple iPhone, iPad...) and Mac OS X

Here are all my config files. Basically the OpenWrt router's IP is 192.168.1.1, it serves as DHCP server for 192.168.1.0/24. I also configured strongswan in a way that it requests IP adresses from the DHCP, so probably you have to install package strongswan-mod-dhcp (I think that was the name of it).

ipsec.conf  .... I assume that these plutostart and nat_traversal settings are useless, but who knows:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    plutostart=yes
    nat_traversal=yes

# Add connections here.

conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsubnet=192.168.1.0/24
        rightsourceip=%dhcp
        rightcert=clientCert.pem
        forceencaps=yes
        auto=add

ipsec.secrets   ... I don't care about this password, it is just for testing and not reachable via internet at the moment:

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA serverKey.pem
otto : XAUTH "thisisotto"

strongswan.conf .... that is just for the DHCP plugin (see above):

# strongswan.conf - strongSwan configuration file

charon {
    dns1 = 192.168.1.1

    plugins {
        dhcp {
            server = 192.168.1.1
        }
    }
}

pluto {

}

libstrongswan {

    #  set to no, the DH exponent size is optimized
    #  dh_exponent_ansi_x9_42 = no
}

and finally /etc/init.d/ipsec   .... very basic at the moment, not yet sure about START and STOP, but it works:

#!/bin/sh /etc/rc.common
# ipsec init script

START=46
STOP=01
 
start() {        
    ipsec start
}                 
 
stop() {          
    ipsec stop
}

restart() {
    ipsec restart
}

And finally the Firewall settings:
- I simply opened the ports 500 and 4500 with LuCI
- In Custom Rules I added

iptables -A input_wan -m policy --strict --dir in --pol ipsec --proto esp -j ACCEPT

(Last edited by wjwj on 24 Sep 2012, 23:40)

how did you get the dhcp plugin to work. it won't load. did you make a custom build?

rossini wrote:

how did you get the dhcp plugin to work. it won't load. did you make a custom build?

No, I am using the latest Attitude Adjustment Beta on an TP-Link TL-WDR4300 (openwrt-ar71xx-generic-tl-wdr4300-v1-squashfs-sysupgrade).
opkg update && opkg install strongswan-mod-dhcp
did the job.

Hi,

ok i figured the dhcp out.
I was using a custom-build where strongswan was included, but not the strongswan-mod-dhcp.
I installed now AA and generated all Certs and used your configs.

I am able to connect but i cannot reach the LAN-Clients. Dont know why.
In the ipsec-log i got messages like this.

07[KNL] received netlink error: Function not implemented (89)
07[KNL] unable to add SAD entry with SPI ccc321fa
07[KNL] received netlink error: Function not implemented (89)
07[KNL] unable to add SAD entry with SPI 07d0af31
07[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel

Hmm, looks like something in your kernel is missing, unfortunately I am no kernel expert. What strongswan-package did you install? I installed strongswan-default ("opkg update && opkg install strongswan-default"). Maybe there are some strongswan kernel modules missing in your installation??

jep ... strongswan-default + strongswan-mod-dhcp

... installed no wifi-driver, so there was no crypto module.
i can establishe now the connection and the errors are gone. But, i just able to see my gateway router. nothing else in the LAN.

Well, for me this custom iptables rule did the job. Did you restart the firewall after inserting (just to make sure)?

Yes, restarted firewall. Can you please Post your complete Firewall config? Just to make sure i didn't make any other mistakes.

rossini wrote:

Yes, restarted firewall. Can you please Post your complete Firewall config? Just to make sure i didn't make any other mistakes.

# Generated by iptables-save v1.4.10 on Tue Sep 25 20:31:35 2012
*nat
:PREROUTING ACCEPT [14468:1646026]
:INPUT ACCEPT [1411:115471]
:OUTPUT ACCEPT [1731:130678]
:POSTROUTING ACCEPT [156:19343]
:nat_reflection_in - [0:0]
:nat_reflection_out - [0:0]
:postrouting_rule - [0:0]
:prerouting_lan - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
:zone_lan_nat - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_nat - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j prerouting_rule 
-A PREROUTING -i br-lan -j zone_lan_prerouting 
-A PREROUTING -i eth0.2 -j zone_wan_prerouting 
-A POSTROUTING -j postrouting_rule 
-A POSTROUTING -o br-lan -j zone_lan_nat 
-A POSTROUTING -o eth0.2 -j zone_wan_nat 
-A postrouting_rule -j nat_reflection_out 
-A prerouting_rule -j nat_reflection_in 
-A zone_lan_prerouting -j prerouting_lan 
-A zone_wan_nat -j MASQUERADE 
-A zone_wan_prerouting -j prerouting_wan 
COMMIT
# Completed on Tue Sep 25 20:31:35 2012
# Generated by iptables-save v1.4.10 on Tue Sep 25 20:31:35 2012
*raw
:PREROUTING ACCEPT [2438727:2512608691]
:OUTPUT ACCEPT [7537:1864992]
:zone_lan_notrack - [0:0]
:zone_wan_notrack - [0:0]
-A PREROUTING -i br-lan -j zone_lan_notrack 
-A PREROUTING -i eth0.2 -j zone_wan_notrack 
COMMIT
# Completed on Tue Sep 25 20:31:35 2012
# Generated by iptables-save v1.4.10 on Tue Sep 25 20:31:35 2012
*mangle
:PREROUTING ACCEPT [2438727:2512608691]
:INPUT ACCEPT [12318:1371598]
:FORWARD ACCEPT [2423829:2510417392]
:OUTPUT ACCEPT [7537:1864992]
:POSTROUTING ACCEPT [2431366:2512282384]
:zone_wan_MSSFIX - [0:0]
-A FORWARD -j zone_wan_MSSFIX 
-A zone_wan_MSSFIX -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
COMMIT
# Completed on Tue Sep 25 20:31:35 2012
# Generated by iptables-save v1.4.10 on Tue Sep 25 20:31:35 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward - [0:0]
:forwarding_lan - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input - [0:0]
:input_lan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:nat_reflection_fwd - [0:0]
:output - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan - [0:0]
:zone_lan_ACCEPT - [0:0]
:zone_lan_DROP - [0:0]
:zone_lan_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_wan - [0:0]
:zone_wan_ACCEPT - [0:0]
:zone_wan_DROP - [0:0]
:zone_wan_REJECT - [0:0]
:zone_wan_forward - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood 
-A INPUT -j input_rule 
-A INPUT -j input 
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j forwarding_rule 
-A FORWARD -j forward 
-A FORWARD -j reject 
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -j output_rule 
-A OUTPUT -j output 
-A forward -i br-lan -j zone_lan_forward 
-A forward -i eth0.2 -j zone_wan_forward 
-A forwarding_rule -j nat_reflection_fwd 
-A input -i br-lan -j zone_lan 
-A input -i eth0.2 -j zone_wan 
-A input_wan -m policy --dir in --pol ipsec --strict --proto esp -j ACCEPT 
-A output -j zone_lan_ACCEPT 
-A output -j zone_wan_ACCEPT 
-A reject -p tcp -j REJECT --reject-with tcp-reset 
-A reject -j REJECT --reject-with icmp-port-unreachable 
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN 
-A syn_flood -j DROP 
-A zone_lan -j input_lan 
-A zone_lan -j zone_lan_ACCEPT 
-A zone_lan_ACCEPT -o br-lan -j ACCEPT 
-A zone_lan_ACCEPT -i br-lan -j ACCEPT 
-A zone_lan_DROP -o br-lan -j DROP 
-A zone_lan_DROP -i br-lan -j DROP 
-A zone_lan_REJECT -o br-lan -j reject 
-A zone_lan_REJECT -i br-lan -j reject 
-A zone_lan_forward -j zone_wan_ACCEPT 
-A zone_lan_forward -j forwarding_lan 
-A zone_lan_forward -j zone_lan_REJECT 
-A zone_wan -p udp -m udp --dport 68 -j ACCEPT 
-A zone_wan -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A zone_wan -p udp -m udp --dport 500 -j ACCEPT 
-A zone_wan -p udp -m udp --dport 4500 -j ACCEPT 
-A zone_wan -j input_wan 
-A zone_wan -j zone_wan_REJECT 
-A zone_wan_ACCEPT -o eth0.2 -j ACCEPT 
-A zone_wan_ACCEPT -i eth0.2 -j ACCEPT 
-A zone_wan_DROP -o eth0.2 -j DROP 
-A zone_wan_DROP -i eth0.2 -j DROP 
-A zone_wan_REJECT -o eth0.2 -j reject 
-A zone_wan_REJECT -i eth0.2 -j reject 
-A zone_wan_forward -j forwarding_wan 
-A zone_wan_forward -j zone_wan_REJECT 
COMMIT
# Completed on Tue Sep 25 20:31:35 2012

Thanks, ... i don't know what to do. iprules are the same except your eth0.2 is in mine pppoa-wan.

Sorry, can't really help. Just tell me if you need anything else. Maybe there is something wrong in your routing table?? (just a guess)

As far as I struggled with it I found that this rightsubnet setting in ipsec.conf is quite crucial. Then I also had to add forceencaps=yes in ipsec.conf, otherwise it seemed that iptables (the kernel??, the ipsec daemon??) did not mask/mark the ipsec packages correctly. Afterwards it just worked.

My project for the weekend is to reset the router again and to config everything from scratch again ... not just test-settings, but the stable-seetings of it ... i.e. no more "thisisotto" as password wink     Up to now I also did not activate wlan. Hopefully it will also work after resetting everything. I'll definetly report.

smile good luck and many thanks. i will research about the routing-tables.

one question:
do you also have this messages in logs:

06[KNL] NAT mappings of ESP CHILD_SA with SPI c4be149a and reqid {1} changed, queuing update job

rossini wrote:

one question:
do you also have this messages in logs:

06[KNL] NAT mappings of ESP CHILD_SA with SPI c4be149a and reqid {1} changed, queuing update job

Will check and post asap, but I won't be at home for the next two days.

Back again. Regarding the [NNL] NAT mappings of ESP ...  in which logfile do you get that one?

Today I set up StrongSwan in my productive environment. Despite everything working in my testing environment I can only reach my Gateway and nothing else in LAN (same situation like rossini). Seems that the search starts from the beginning again.

@rossini: Did you have any luck in the meantime?

Edit:
Funny. Can reach my gateway on 172.16.0.1, AND my Switch web interface on 172.16.0.2 but nothing else. I'd say that is strange!

(Last edited by wjwj on 29 Sep 2012, 18:11)

The discussion might have continued from here.