Hi all,
after fiddling with racoon, where I couldn't get a stable connection between a remote Fritzbox and my OpenWRT, I decided to try strongSwan.
The configuration is more or less the same as with racoon when you follow the ipsec wiki
To ease the config process with a Fritzbox, I'll post my fritzbox vpn.cfg and my strongSwan config together with my ipsec startscript (slightly edited so it works with FQDN as gateway option). I used the firewall.sh from the wiki.
My fritzbox vpn.cfg
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "left.dyndns.net";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "left.dyndns.net";
localid {
fqdn = "right.dyndns.net";
}
remoteid {
fqdn = "left.dyndns.net";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "!this_one_is_totally_secret!";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.15.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.101.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.101.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
// EOFMy /etc/config/ipsec
config 'ipsec'
option 'zone' 'vpn'
list 'listen' ''
config 'remote' 'Herwie'
option 'enabled' '1'
option 'gateway' 'right.dyndns.net'
option 'authentication_method' 'psk'
option 'pre_shared_key' '!this_one_is_totally_secret!'
option 'exchange_mode' 'main'
option 'local_identifier' 'left.dyndns.net'
option 'remote_identifier' 'right.dyndns.net'
list 'p1_proposal' 'pre_g2_aes_sha1'
list 'tunnel' 'Herwie_lan'
config 'p1_proposal' 'pre_g2_aes_sha1'
option 'encryption_algorithm' 'aes128'
option 'hash_algorithm' 'sha1'
option 'dh_group' 'modp1024'
config 'tunnel' 'Herwie_lan'
option 'local_subnet' '192.168.101.0/24'
option 'remote_subnet' '192.168.15.0/24'
option 'p2_proposal' 'g2_aes_sha1'
config 'p2_proposal' 'g2_aes_sha1'
option 'pfs_group' 'modp1024'
option 'encryption_algorithm' 'aes256'
option 'authentication_algorithm' 'sha1'My /etc/init.d/ipsec
#!/bin/sh /etc/rc.common
#/etc/init.d/ipsec - version 4
NAME=ipsec
START=60
STOP=60
. /etc/functions.sh
FileSecrets=/var/ipsec/ipsec.secrets
FileConn=/var/ipsec/ipsec.conf
FileCommon=/var/ipsec/strongswan.conf
FolderCerts=/var/ipsec/ipsec.d
ConfigUser()
{
local enabled
local xauth
local name
local password
local crt_subject
config_get_bool enabled $1 enabled 0
[[ "$enabled" == "0" ]] && return
config_get_bool xauth $1 xauth 0
config_get name $1 name ""
config_get password $1 password ""
if [ $xauth -eq 1 -a "$name" != "" -a "$password" != "" ]; then
echo "$name : XAUTH \"$password\"" >> $FileSecrets
fi
}
ConfigPhase1() {
local encryption_algorithm
local hash_algorithm
local dh_group
config_get encryption_algorithm "$1" encryption_algorithm
config_get hash_algorithm "$1" hash_algorithm
config_get dh_group "$1" dh_group
Phase1Proposal=${Phase1Proposal}","${encryption_algorithm}-${hash_algorithm}-${dh_group}
}
ConfigTunnel() {
local local_subnet
local local_nat
local remote_subnet
local p2_proposal
local pfs_group
local encryption_algorithm
local authentication_algorithm
local exchange_mode
config_get local_subnet "$1" local_subnet
config_get local_nat "$1" local_nat ""
config_get remote_subnet "$1" remote_subnet
config_get exchange_mode "$1" exchange_mode
config_get p2_proposal "$1" p2_proposal
config_get pfs_group "$p2_proposal" pfs_group
config_get encryption_algorithm "$p2_proposal" encryption_algorithm
config_get authentication_algorithm "$p2_proposal" authentication_algorithm
[[ "$local_nat" != "" ]] && local_subnet=$local_nat
p2_proposal="${encryption_algorithm}-${authentication_algorithm}-${pfs_group}"
echo "conn $ConfigName-$1" >> $FileConn
echo " keyexchange=ikev1" >> $FileConn
echo " left=$LocalGateway" >> $FileConn
echo " leftsubnet=$local_subnet" >> $FileConn
echo " right=$RemoteGateway" >> $FileConn
echo " rightsubnet=$remote_subnet" >> $FileConn
echo " ikelifetime=4h" >> $FileConn
echo " keylife=1h" >> $FileConn
if [ "$exchange_mode" = "aggressive" ]; then
echo " aggressive = yes" >> $FileConn
else
echo " aggressive = no" >> $FileConn
fi
if [ "$AuthenticationMethod" = "psk" ]; then
echo " authby=psk" >> $FileConn
# should be auto=route when going to 5.0.1
echo " auto=start" >> $FileConn
elif [ "$AuthenticationMethod" = "xauth_psk_server" ]; then
echo " authby=xauthpsk" >> $FileConn
echo " xauth=server" >> $FileConn
echo " modeconfig=pull" >> $FileConn
echo " rightsourceip=$remote_subnet" >> $FileConn
echo " auto=add" >> $FileConn
fi
if [ "$LocalIdentifier" != "" ]; then
echo " leftid=$LocalIdentifier" >> $FileConn
fi
if [ "$RemoteIdentifier" != "" ]; then
echo " rightid=$RemoteIdentifier" >> $FileConn
fi
# echo " auth=esp" >> $FileConn
echo " esp=$p2_proposal" >> $FileConn
echo " ike=$Phase1Proposal" >> $FileConn
echo " type=tunnel" >> $FileConn
}
ConfigRemote() {
local enabled
local gateway
local pre_shared_key
local authentication_method
local local_identifier
local remote_identifier
ConfigName=$1
config_get_bool enabled "$1" enabled 0
[[ "$enabled" == "0" ]] && return
config_get gateway "$1" gateway
config_get pre_shared_key "$1" pre_shared_key
config_get authentication_method "$1" authentication_method
config_get local_identifier "$1" local_identifier
config_get remote_identifier "$1" remote_identifier
AuthenticationMethod=$authentication_method
LocalIdentifier=$local_identifier
RemoteIdentifier=$remote_identifier
RemoteGateway=$gateway
if [ "$RemoteGateway" = "any" ]; then
RemoteGateway="%any"
LocalGateway=`ip route get 1.1.1.1 | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
else
RemoteGateway=`ping $RemoteGateway -c 1|head -n 1|cut -d "(" -f 2|cut -d ")" -f 1`
LocalGateway=`ip route get $RemoteGateway | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
fi
echo "$LocalGateway $RemoteGateway : PSK \"$pre_shared_key\"" >> $FileSecrets
Phase1Proposal=""
config_list_foreach "$1" p1_proposal ConfigPhase1
Phase1Proposal=`echo $Phase1Proposal | cut -b 2-`
config_list_foreach "$1" tunnel ConfigTunnel
}
PrepareEnvironment() {
for d in cacerts aacerts ocspcerts crls acerts; do
mkdir -p $FolderCerts/$d 2>/dev/null
done
if [ ! -L /etc/ipsec.d ]; then
rm -rf /etc/ipsec.d 2>/dev/null
ln -s $FolderCerts /etc/ipsec.d
fi
if [ ! -L /etc/ipsec.secrets ]; then
rm /etc/ipsec.secrets 2>/dev/null
ln -s $FileSecrets /etc/ipsec.secrets
fi
if [ ! -L /etc/strongswan.conf ]; then
rm /etc/strongswan.conf 2>/dev/null
ln -s $FileCommon /etc/strongswan.conf
fi
if [ ! -L /etc/ipsec.conf ]; then
rm /etc/ipsec.conf 2>/dev/null
ln -s $FileConn /etc/ipsec.conf
fi
echo "# generated by /etc/init.d/ipsec" > $FileConn
echo "version 2" > $FileConn
echo "config setup" >> $FileConn
echo " charondebug = \"ike 2,knl 2\"" >> $FileConn
echo "# generated by /etc/init.d/ipsec" > $FileSecrets
}
CheckInstallation() {
if [ ! -x /usr/sbin/ip ]; then
echo /usr/sbin/ip missing
echo install with \"opkg install ip\"
exit
fi
for f in aes authenc cbc hmac md5 sha1; do
if [ `opkg list kmod-crypto-$f | wc -l` -eq 0 ]; then
echo kmod-crypto-$f missing
echo install with \"opkg install kmod-crypto-$f --nodeps\"
exit
fi
done
for f in aes gmp hmac kernel-netlink md5 random sha1 updown attr resolve; do
if [ ! -f /usr/lib/ipsec/plugins/libstrongswan-${f}.so ]; then
echo /usr/lib/ipsec/plugins/$f missing
echo install with \"opkg install strongswan-mod-$f --nodeps\"
exit
fi
done
}
start() {
CheckInstallation
PrepareEnvironment
config_load users
config_foreach ConfigUser user
config_load ipsec
config_foreach ConfigRemote remote
/usr/sbin/ipsec start
}
stop() {
/usr/sbin/ipsec stop
}I hope it helps you getting your VPN up between your Fritzbox and strongSwan :-)
oortmanp
(Last edited by oortmanp on 23 Aug 2013, 14:02)