OpenWrt Forum Archive

Topic: Strongswan / IKEv2 client config on OpenWRT - Tutorial available?

The content of this topic has been archived on 4 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
ravenlost2
12 Feb 2017, 17:50

Hello, as I mentioned on a previous post, I'm starting off this new post to get some help if possible setting up my router as an IPSec IKEv2 client. I'm trying to connect to a free VPN service (hide.me). I followed their tutorial as is, even thought it's meant for ubuntu... Figured it should work on OpenWRT, since I seemed to have all the necessary packages. But no luck. I'm not even sure of the failure, since I see no real failure...

The tutorial I was following : https://community.hide.me/tutorials/ips … method.43/

My installed Strongswan packages :

root@OpenWrt:~# opkg list-installed | grep strongswan
strongswan - 5.3.3-1
strongswan-charon - 5.3.3-1
strongswan-default - 5.3.3-1
strongswan-mod-aes - 5.3.3-1
strongswan-mod-attr - 5.3.3-1
strongswan-mod-constraints - 5.3.3-1
strongswan-mod-des - 5.3.3-1
strongswan-mod-dnskey - 5.3.3-1
strongswan-mod-eap-mschapv2 - 5.3.3-1
strongswan-mod-fips-prf - 5.3.3-1
strongswan-mod-gmp - 5.3.3-1
strongswan-mod-hmac - 5.3.3-1
strongswan-mod-kernel-netlink - 5.3.3-1
strongswan-mod-md4 - 5.3.3-1
strongswan-mod-md5 - 5.3.3-1
strongswan-mod-nonce - 5.3.3-1
strongswan-mod-openssl - 5.3.3-1
strongswan-mod-pem - 5.3.3-1
strongswan-mod-pgp - 5.3.3-1
strongswan-mod-pkcs1 - 5.3.3-1
strongswan-mod-pubkey - 5.3.3-1
strongswan-mod-random - 5.3.3-1
strongswan-mod-rc2 - 5.3.3-1
strongswan-mod-resolve - 5.3.3-1
strongswan-mod-revocation - 5.3.3-1
strongswan-mod-sha1 - 5.3.3-1
strongswan-mod-sha2 - 5.3.3-1
strongswan-mod-socket-default - 5.3.3-1
strongswan-mod-sshkey - 5.3.3-1
strongswan-mod-stroke - 5.3.3-1
strongswan-mod-uci - 5.3.3-1
strongswan-mod-updown - 5.3.3-1
strongswan-mod-x509 - 5.3.3-1
strongswan-mod-xauth-generic - 5.3.3-1
strongswan-mod-xcbc - 5.3.3-1
strongswan-utils - 5.3.3-1

/etc/ipsec.conf:

root@OpenWrt:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    # strictcrlpolicy=yes
    # uniqueids = no

# Add connections here.
conn hide
  keyexchange=ikev2
  dpdaction=clear
  dpddelay=300s
  eap_identity="username"
  leftauth=eap-mschapv2
  left=%defaultroute
  leftsourceip=%config
  right=free-nl.hide.me
  rightauth=pubkey
  rightsubnet=0.0.0.0/0
  rightid=%any
  type=tunnel
  auto=add

/etc/ipsec.secrets: 

root@OpenWrt:~# cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
username : EAP "password"

And lastly, as per their tutorial:

root@OpenWrt:~# cat /etc/strongswan.d/charon/constraints.conf
constraints {

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = no
}

One thing I'm not sure about is where they say

Hide VPN servers identify themselves using certificates. StrongSwan needs to verify Hide certificate and in order to do so it searches it's certificates store. Fortunately, StrongSwan's certificate store can easily be linked to the system ( OpenSSL ) certificate store. To link the StrongSwan's certificate store to the system ( OpenSSL ) certificate store execute the following two commands:

Code:
sudo rmdir /etc/ipsec.d/cacerts
sudo ln -s /etc/ssl/certs /etc/ipsec.d/cacerts

I have these folders, but they are all empty.. (assuming normal? Sorry, dont know much here...).

I've added 2 new rules to the firewall, although I'm sure this is right ?

root@OpenWrt:~# cat /etc/config/firewall 
...
config rule              
        option target 'ACCEPT'
        option src 'wan'      
        option proto 'udp'     
        option dest_port '500'
        option name 'Hideme_IPsec01'
           
config rule              
        option target 'ACCEPT'
        option src 'wan'      
        option proto 'udp'     
        option dest_port '4500'
        option name 'Hideme_IPsec02'

I then run 'ipsec start', and examine the output of 'logread -f' in a different terminal window:

root@OpenWrt:~# ipsec start
no files found matching '/etc/strongswan.d/*.conf'
Starting strongSwan 5.3.3 IPsec [starter]...

root@OpenWrt:~# logread -f
Sun Feb 12 17:39:35 2017 authpriv.info ipsec_starter[3393]: Starting strongSwan 5.3.3 IPsec [starter]...
Sun Feb 12 17:39:35 2017 daemon.err modprobe: ah4 is already loaded
Sun Feb 12 17:39:35 2017 daemon.err modprobe: esp4 is already loaded
Sun Feb 12 17:39:35 2017 daemon.err modprobe: ipcomp is already loaded
Sun Feb 12 17:39:35 2017 daemon.err modprobe: xfrm4_tunnel is already loaded
Sun Feb 12 17:39:35 2017 daemon.err modprobe: xfrm_user is already loaded
Sun Feb 12 17:39:36 2017 daemon.info syslog: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, Linux 3.18.23, mips)
Sun Feb 12 17:39:36 2017 daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sun Feb 12 17:39:36 2017 daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sun Feb 12 17:39:36 2017 daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sun Feb 12 17:39:36 2017 daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sun Feb 12 17:39:36 2017 daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sun Feb 12 17:39:36 2017 daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sun Feb 12 17:39:36 2017 daemon.info syslog: 00[CFG]   loaded EAP secret for ravenlost
Sun Feb 12 17:39:36 2017 daemon.info syslog: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation pubkey pkcs1 pgp dnskey sshkey pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-mschapv2 xauth-generic uci
Sun Feb 12 17:39:36 2017 daemon.info syslog: 00[JOB] spawning 16 worker threads
Sun Feb 12 17:39:36 2017 authpriv.info ipsec_starter[3406]: charon (3407) started after 280 ms
Sun Feb 12 17:39:36 2017 daemon.info syslog: 11[CFG] received stroke: add connection 'hide'
Sun Feb 12 17:39:36 2017 daemon.info syslog: 11[CFG] added configuration 'hide'
Sun Feb 12 17:39:44 2017 kern.warn kernel: [ 2889.568000] MSSFIX(wan): IN=br-lan OUT=pppoe-wan MAC=30:46:9a:2f:04:7f:14:d6:4d:53:8b:78:08:00

Finally, running (as per the Hideme tutorial) 'ipsec up hide' and keeping an eye on logread again: 

root@OpenWrt:~# ipsec up hide
no files found matching '/etc/strongswan.d/*.conf'
initiating IKE_SA hide[1] to 109.201.137.51
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 213.49.233.56[500] to 109.201.137.51[500] (1088 bytes)
retransmit 1 of request with message ID 0
sending packet: from 213.49.233.56[500] to 109.201.137.51[500] (1088 bytes)
retransmit 2 of request with message ID 0
sending packet: from 213.49.233.56[500] to 109.201.137.51[500] (1088 bytes)
retransmit 3 of request with message ID 0
sending packet: from 213.49.233.56[500] to 109.201.137.51[500] (1088 bytes)
...

root@OpenWrt:~# logread -f
Sun Feb 12 17:44:52 2017 daemon.info syslog: 12[CFG] received stroke: initiate 'hide'
Sun Feb 12 17:44:52 2017 daemon.info syslog: 14[IKE] initiating IKE_SA hide[1] to 109.201.137.51
Sun Feb 12 17:44:52 2017 authpriv.info syslog: 14[IKE] initiating IKE_SA hide[1] to 109.201.137.51
Sun Feb 12 17:44:53 2017 daemon.info syslog: 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Sun Feb 12 17:44:53 2017 daemon.info syslog: 14[NET] sending packet: from 213.49.233.56[500] to 109.201.137.51[500] (1088 bytes)
Sun Feb 12 17:44:53 2017 daemon.info racoon: 2017-02-12 17:44:53: [109.201.137.51] ERROR: invalid flag 0x20.
Sun Feb 12 17:44:57 2017 daemon.info syslog: 16[IKE] retransmit 1 of request with message ID 0
Sun Feb 12 17:44:57 2017 daemon.info syslog: 16[NET] sending packet: from 213.49.233.56[500] to 109.201.137.51[500] (1088 bytes)
Sun Feb 12 17:44:57 2017 daemon.info racoon: 2017-02-12 17:44:57: [109.201.137.51] ERROR: invalid flag 0x20.
Sun Feb 12 17:45:04 2017 daemon.info syslog: 09[IKE] retransmit 2 of request with message ID 0
Sun Feb 12 17:45:04 2017 daemon.info syslog: 09[NET] sending packet: from 213.49.233.56[500] to 109.201.137.51[500] (1088 bytes)
Sun Feb 12 17:45:04 2017 daemon.info racoon: 2017-02-12 17:45:04: [109.201.137.51] ERROR: invalid flag 0x20.
Sun Feb 12 17:45:17 2017 daemon.info syslog: 01[IKE] retransmit 3 of request with message ID 0
Sun Feb 12 17:45:17 2017 daemon.info syslog: 01[NET] sending packet: from 213.49.233.56[500] to 109.201.137.51[500] (1088 bytes)
Sun Feb 12 17:45:17 2017 daemon.info racoon: 2017-02-12 17:45:17: [109.201.137.51] ERROR: invalid flag 0x20.

I have no clue with the 'racoon' error is in my logread output ! If I try to check on the net where my IP is coming from, I see it doesnt work. Still not on the VPN ...

Is it me doing something wrong here ? A bit hopeless right now...

Any help ? Any good tutorials perhaps also out there ?

MUCH thanks! You guys are awesome !! smile)

Post #2
ulmwind
12 Feb 2017, 18:25

From common considerations you should have certificates, do you have any files *.pem, *.der?

Post #3
ravenlost2
12 Feb 2017, 18:45

Well, the main tutorial for IKEv2 on thei website doesn't mention that at all. However, I did see a certificate in their OpenVPN tutorial (https://community.hide.me/tutorials/ope … penwrt.38/)

I've copied it to: 

root@OpenWrt:~# cat /etc/ssl/certs/Hideme.pem 
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

Then, if I retry everything, my log are just the same : 

Running 'ipsec start':
Sun Feb 12 18:39:09 2017 authpriv.info ipsec_starter[3737]: Starting strongSwan 5.3.3 IPsec [starter]...
Sun Feb 12 18:39:09 2017 daemon.err modprobe: ah4 is already loaded
Sun Feb 12 18:39:10 2017 daemon.err modprobe: esp4 is already loaded
Sun Feb 12 18:39:10 2017 daemon.err modprobe: ipcomp is already loaded
Sun Feb 12 18:39:10 2017 daemon.err modprobe: xfrm4_tunnel is already loaded
Sun Feb 12 18:39:10 2017 daemon.err modprobe: xfrm_user is already loaded
Sun Feb 12 18:39:10 2017 daemon.info syslog: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, Linux 3.18.23, mips)
Sun Feb 12 18:39:10 2017 daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sun Feb 12 18:39:10 2017 daemon.info syslog: 00[CFG]   loaded ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" from '/etc/ipsec.d/cacerts/Hideme.pem'
Sun Feb 12 18:39:10 2017 daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sun Feb 12 18:39:10 2017 daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sun Feb 12 18:39:10 2017 daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sun Feb 12 18:39:10 2017 daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sun Feb 12 18:39:10 2017 daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sun Feb 12 18:39:10 2017 daemon.info syslog: 00[CFG]   loaded EAP secret for ravenlost
Sun Feb 12 18:39:10 2017 daemon.info syslog: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation pubkey pkcs1 pgp dnskey sshkey pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown eap-mschapv2 xauth-generic uci
Sun Feb 12 18:39:10 2017 daemon.info syslog: 00[JOB] spawning 16 worker threads
Sun Feb 12 18:39:10 2017 authpriv.info ipsec_starter[3750]: charon (3751) started after 300 ms
Sun Feb 12 18:39:10 2017 daemon.info syslog: 11[CFG] received stroke: add connection 'hide'
Sun Feb 12 18:39:10 2017 daemon.info syslog: 11[CFG] added configuration 'hide'

Then after running 'ipsec up hide':
Sun Feb 12 18:40:55 2017 daemon.info syslog: 12[CFG] received stroke: initiate 'hide'
Sun Feb 12 18:40:55 2017 daemon.info syslog: 05[IKE] initiating IKE_SA hide[1] to 46.166.179.50
Sun Feb 12 18:40:55 2017 authpriv.info syslog: 05[IKE] initiating IKE_SA hide[1] to 46.166.179.50
Sun Feb 12 18:40:56 2017 daemon.info syslog: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Sun Feb 12 18:40:56 2017 daemon.info syslog: 05[NET] sending packet: from 213.49.233.56[500] to 46.166.179.50[500] (1088 bytes)
Sun Feb 12 18:40:56 2017 daemon.info racoon: 2017-02-12 18:40:56: [46.166.179.50] ERROR: invalid flag 0x20.
Sun Feb 12 18:41:00 2017 daemon.info syslog: 04[IKE] retransmit 1 of request with message ID 0
Sun Feb 12 18:41:00 2017 daemon.info syslog: 04[NET] sending packet: from 213.49.233.56[500] to 46.166.179.50[500] (1088 bytes)
Sun Feb 12 18:41:00 2017 daemon.info racoon: 2017-02-12 18:41:00: [46.166.179.50] ERROR: invalid flag 0x20.

So, not sure here...

The discussion might have continued from here.