> I'm still trying to make this work, when I ping from OpenBSD system internal > facing network to Linux internal network running tcpdump on both systems I > see packets entering the OpenBSD enc interface and exiting the OpenWRT xfrn > interface. So I know packets are going across the tunnel. Pinging from the > other direction nothing. > > Your firewall zone hint has me chasing firewall configuration, it is obvious > OpenWRT developers could care less about IPsec functionality.
Did you add a static route on the OpenWRT side? OpenWRT uses a few layers of abstraction, where an "interface" may contain one or more physical interfaces, and these virtual interfaces are each assigned to a firewall zone, which by default shares a name with the virtual interface, adding to the confusion. All of this is parsed to spit out nftables configs and other assorted bits in the end. The problem when you try and do something outside the OpenWRT system, like running StrongSwan on its own, it may conflict with or be overwritten by the automated configuration. I would suggest making all configuration changes in the GUI or via the 'uci' command if at all possible. Make sure of the following: 1. Your xfrm0 interface is associated with a virtual interface 2. That virtual interface has a firewall zone associated. 3. The firewall zone is appropriately configured (e.g. default forwards from lan->vpn or policies in place) 4. Your virtual interface has a static route associated to send traffic over the tunnel 5. Wonder why this isn't as easy as pf. The reason I suggested Wireguard as an alternative is because it is integrated into the OpenWRT GUI, all you need to do is paste your keys and the endpoint IP and you're good to go. It's widely used by their community so receives more scrutiny and TLC. Regards Lloyd
