Hello,

I am having trouble passing ipsec (ikev2) traffic through my openwrt firewall. I have a an ipsec vpn server inside my lan network and i want to forward the ipsec traffic to that vpn server from mobile clients. i have a port forward for 500 udp and 4500 udp and they seem to be working fine, but im not sure how to forward the esp/ah traffic. I may be doing something wrong, but i put forward rules into the config/firewall file for protocol 50 and 51 but it doesn't seem to solve my authentication problems. It works fine from the lan side, but whenever i try to connect from the wan side it gives me the same issue. The client reports an authentication issue and the server logs look like authentication traffic was never received.

Any advice?

I believe you need to add

iptables -A input_rule -p esp -j ACCEPT

to your /etc/firewall.user configuration file. This tells firewall to allow the encrypted traffic to pass through.

You'll also have to make sure to disable NAT for packets passing into your network bound for devices within your LAN. You can do this by adding these lines to your /etc/firewall.user configuration file.

iptables -t nat -I POSTROUTING -s 10.1.0.0/16 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I PREROUTING -s 10.2.0.0/16 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT

adjust the lines for your specific subnet ofc.

It sounds like you are not running ipsec on the openwrt gateway in which case I believe you have to tell iptables to forward the traffic on. I believe these two lines will do that. Also, added to /etc/firewall.user

iptables -I FORWARD -i eth0 -s 10.2.0.0/16 -d 10.1.0.0/16 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -s 10.1.0.0/16 -d 10.2.0.0/16 -m policy --dir out --pol ipsec -j ACCEPT

That being said I am borrowing those lines from my own setup which isn't quite working either :-\ I've got a post about it here https://forum.openwrt.org/viewtopic.php?id=62459 if you want to see the specifics of my setup.

(Last edited by jyeagley on 31 Jan 2016, 15:55)

Thanks for the fast reply.

ll try these steps.

I'm still having trouble. Do i need a kernel mod or iptables mod package to be able to pass ipsec traffic?

Sorry, wish I could help you more. Idk if a special kernel module is required to pass ipsec traffic... I suspect not. A special kernel module is required, however, to run ipsec.

Sorry to necro bump this. The solution proposed above doesn't work because those are the iptables rules that the ipsec daemon adds for a routed tunnel on the host running the IPSec daemon.

They are not the correct rules to forward IPSec traffic from a public IPv4 address to an IPSec server sitting behind NAT.

From your description, I am assuming this is your use case:

(Internet) -----> (OpenWrt) ------> (IPSec)

Where your OpenWrt Internet interface has a public IPv4 address, and the IPSec server is on LAN.

If your OpenWrt router has an IPv4 address which is on a private subnet (10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) or you cannot access the OpenWrt Internet-facing IPv4 address from another server on the internet, then it's likely your ISP has implemented carrier grade NAT (cgNAT) and this will not work.

You need the following INPUT rules:

iptables -A input_wan_rule -i WANif -p udp -m multiport --dports 4500 -m comment --comment "012 accept ipsec-nat" -j ACCEPT
iptables -A input_wan_rule -i WANif -p udp -m multiport --dports 500 -m comment --comment "015 accept isakmp" -j ACCEPT
iptables -A input_wan_rule -i WANif -p esp -m comment --comment "018 accept ipsec-esp" -j ACCEPT

You need to change WANif to the interface of your WAN (e.g. eth0.2). You can use the rule without limiting the input to the WAN interface, but in my opinion it's better to be specific. If you want to use the rule without explicitly setting your WAN interface, then simply remove the -i WANif flag from the above rules.

You need the following FORWARD rules:

iptables -A zone_wan_forward -d LAN_dest/32 -p udp -m multiport --dports 4500 -m comment --comment "014 ipsecnat-forward" -j ACCEPT
iptables -A zone_wan_forward -d LAN_dest/32 -p udp -m multiport --dports 500 -m comment --comment "017 isakmp-forward" -j ACCEPT

Fill out LAN_dest with the IP address of the IPSec server on your local network.

You need the following PREROUTING rules in your nat table:

iptables -t nat -A zone_wan_prerouting -d public_IPv4/32 -p udp -m multiport --dports 4500 -m comment --comment "013 ipsecnat-dnat" -j DNAT --to-destination LAN_dest:4500
iptables -t nat -A zone_wan_prerouting -d public_IPv4/32 -p udp -m multiport --dports 500 -m comment --comment "016 isakmp-dnat" -j DNAT --to-destination LAN_dest:500
iptables -t nat -A zone_wan_prerouting -d public_IPv4/32 -p esp -m comment --comment "019 esp-dnat" -j DNAT --to-destination LAN_dest

Fill out public_IPv4 with the IP address on the WAN interface of your router. This is only recommended if you have a static IP address from your provider. If you don't have a static IP address, then remove the "-d public_IPv4/32" flag.

Fill out LAN_dest with the IP address of the IPSec server on your local network.