Re: [strongSwan] OpenWRT. IPSec server

[Noel Kuntze]

Hi,

Create and provide logs. List all information in the format and with the 
commands as described on the HelpRequests page.

Kind regards

Noel

On 06.01.2018 07:15, Sujoy wrote:
> Hi All,
> 
> We are able to connect to StrongSwan IPSec using LAN IP. But in the same 
> system which is having Public IP with NAT trying to connect it says one 
> connecting only. Connection could not establish.
> 
> Someone can please help me in solving this.
> 
> 
> Thanks & Regards
> 
> 
> On Thursday 04 January 2018 07:16 PM, Noel Kuntze wrote:
>> Not on openwrt. But you need plaintext or AD like passwords in LDAP. 
>> Otherwise you can't auth with mschap(v2).
>>
>> On 04.01.2018 14:38, Giuseppe De Marco wrote:
>>> Yes Noel and thank you, my question is:
>>> Is there any experiences about running strongswan in openwrt as ikev2 
>>> server with mschap,radius,ldap auth backend?
>>>
>>> 2018-01-04 14:17 GMT+01:00 Noel Kuntze 
>>> >> >:
>>>
>>> Hi,
>>>
>>> `ipsec` is just a command line tool. It's not a daemon (or generally a 
>>> service).
>>> Are there any open questions?
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> On 04.01.2018 14:14, Giuseppe De Marco wrote:
>>> > Hi and thank you Noel,
>>> > I meant to run ipsec and charon in the embedded openwrt router, I use 
>>> dpd as well
>>> >
>>> >   # dead-peer detection to clear any "dangling" connections in case 
>>> the client unexpectedly disconnects
>>> >   dpdaction=clear
>>> >   # If the tunnel has no traffic for this long (default 30 secs), 
>>> Charon will send a dead peer detection packet. The value 0 means to not 
>>> send such packets, relying on ordinary traffic, which will occur at least 
>>> once an hour, which is the default rekeying lifetime.
>>> >   dpddelay=33s
>>> >   #  DPD Retries : 3
>>> >   dpdtimeout=300s
>>> >
>>> > Running strongswan in a 18-70$ openwrt router is very usefull in many 
>>> way
>>>
>>>
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] OpenWRT. IPSec server

[Sujoy]

Hi Neon,

when I run "IPSec up tunnel". I get the below message.

scheduling reauthentication in 2905s
maximum IKE_SA lifetime 3445s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'tunnel' failed


Following is my client config file

    config setup
   charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default
conn tunnel #
    left=192.168.10.1
    right=X.X.X.X
    ike=aes256-sha1-modp2048
    #ike=aes256-sha384-prfsha384-ecp384!
    esp=aes256!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=1h
    dpdaction=restart
    authby=psk
    auto=start

Thanks Sujoy





On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote:

Hi,

Only on the responder.
If you use dpd and enforce UDP encapsulation, you do not need to open any ports 
on the initiator side.
Refer to the UsableExamples wiki page[1] for example configurations that are 
usable in the real world.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

On 28.12.2017 08:51, Sujoy wrote:

Hi All,


We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be 
running in CentOS and the OpenWRt router will connect to it using VPN. I have 
configured the server part, struggling to configure the client part. Do we need 
to open port 4500 for this first.

Anyone can suggest any solution for this.

Re: [strongSwan] OpenWRT. IPSec server

[Luka Logar]

Hi,

I am using OpenWrt + strongSwan + freeradius (password) peap auth on my 
home routers (DIR860 and WNDR3700). It all works quite nicely altough it 
took some time to set up freeradius correctly...







smime.p7s
Description: Kriptografski podpis S/MIME

Re: [strongSwan] OpenWRT. IPSec server

[Giuseppe De Marco]

On LDAP or Radius is possibile to auth over a NT-Password and I think LM as
well, yes AD format.
I often use mschap for testing purpose and would be great having an
embedded but configurable strongswan server in a cheap router.

2018-01-04 14:46 GMT+01:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml@thermi.consulting>:

> Not on openwrt. But you need plaintext or AD like passwords in LDAP.
> Otherwise you can't auth with mschap(v2).
>
> On 04.01.2018 14:38, Giuseppe De Marco wrote:
> > Yes Noel and thank you, my question is:
> > Is there any experiences about running strongswan in openwrt as ikev2
> server with mschap,radius,ldap auth backend?
> >
> > 2018-01-04 14:17 GMT+01:00 Noel Kuntze  ml@thermi.consulting  consulting>>:
> >
> > Hi,
> >
> > `ipsec` is just a command line tool. It's not a daemon (or generally
> a service).
> > Are there any open questions?
> >
> > Kind regards
> >
> > Noel
> >
> > On 04.01.2018 14:14, Giuseppe De Marco wrote:
> > > Hi and thank you Noel,
> > > I meant to run ipsec and charon in the embedded openwrt router, I
> use dpd as well
> > >
> > >   # dead-peer detection to clear any "dangling" connections in
> case the client unexpectedly disconnects
> > >   dpdaction=clear
> > >   # If the tunnel has no traffic for this long (default 30 secs),
> Charon will send a dead peer detection packet. The value 0 means to not
> send such packets, relying on ordinary traffic, which will occur at least
> once an hour, which is the default rekeying lifetime.
> > >   dpddelay=33s
> > >   #  DPD Retries : 3
> > >   dpdtimeout=300s
> > >
> > > Running strongswan in a 18-70$ openwrt router is very usefull in
> many way
> >
> >
>
>

Re: [strongSwan] OpenWRT. IPSec server

[Noel Kuntze]

Not on openwrt. But you need plaintext or AD like passwords in LDAP. Otherwise 
you can't auth with mschap(v2).

On 04.01.2018 14:38, Giuseppe De Marco wrote:
> Yes Noel and thank you, my question is:
> Is there any experiences about running strongswan in openwrt as ikev2 server 
> with mschap,radius,ldap auth backend?
> 
> 2018-01-04 14:17 GMT+01:00 Noel Kuntze 
>  >:
> 
> Hi,
> 
> `ipsec` is just a command line tool. It's not a daemon (or generally a 
> service).
> Are there any open questions?
> 
> Kind regards
> 
> Noel
> 
> On 04.01.2018 14:14, Giuseppe De Marco wrote:
> > Hi and thank you Noel,
> > I meant to run ipsec and charon in the embedded openwrt router, I use 
> dpd as well
> >
> >   # dead-peer detection to clear any "dangling" connections in case the 
> client unexpectedly disconnects
> >   dpdaction=clear
> >   # If the tunnel has no traffic for this long (default 30 secs), 
> Charon will send a dead peer detection packet. The value 0 means to not send 
> such packets, relying on ordinary traffic, which will occur at least once an 
> hour, which is the default rekeying lifetime.
> >   dpddelay=33s
> >   #  DPD Retries : 3
> >   dpdtimeout=300s
> >
> > Running strongswan in a 18-70$ openwrt router is very usefull in many 
> way
> 
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] OpenWRT. IPSec server

[Giuseppe De Marco]

Yes Noel and thank you, my question is:
Is there any experiences about running strongswan in openwrt as ikev2
server with mschap,radius,ldap auth backend?

2018-01-04 14:17 GMT+01:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml@thermi.consulting>:

> Hi,
>
> `ipsec` is just a command line tool. It's not a daemon (or generally a
> service).
> Are there any open questions?
>
> Kind regards
>
> Noel
>
> On 04.01.2018 14:14, Giuseppe De Marco wrote:
> > Hi and thank you Noel,
> > I meant to run ipsec and charon in the embedded openwrt router, I use
> dpd as well
> >
> >   # dead-peer detection to clear any "dangling" connections in case the
> client unexpectedly disconnects
> >   dpdaction=clear
> >   # If the tunnel has no traffic for this long (default 30 secs), Charon
> will send a dead peer detection packet. The value 0 means to not send such
> packets, relying on ordinary traffic, which will occur at least once an
> hour, which is the default rekeying lifetime.
> >   dpddelay=33s
> >   #  DPD Retries : 3
> >   dpdtimeout=300s
> >
> > Running strongswan in a 18-70$ openwrt router is very usefull in many way
>
>

Re: [strongSwan] OpenWRT. IPSec server

[Noel Kuntze]

Hi,

`ipsec` is just a command line tool. It's not a daemon (or generally a service).
Are there any open questions?

Kind regards

Noel

On 04.01.2018 14:14, Giuseppe De Marco wrote:
> Hi and thank you Noel,
> I meant to run ipsec and charon in the embedded openwrt router, I use dpd as 
> well
> 
>   # dead-peer detection to clear any "dangling" connections in case the 
> client unexpectedly disconnects
>   dpdaction=clear
>   # If the tunnel has no traffic for this long (default 30 secs), Charon will 
> send a dead peer detection packet. The value 0 means to not send such 
> packets, relying on ordinary traffic, which will occur at least once an hour, 
> which is the default rekeying lifetime.
>   dpddelay=33s
>   #  DPD Retries : 3
>   dpdtimeout=300s  
> 
> Running strongswan in a 18-70$ openwrt router is very usefull in many way



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] OpenWRT. IPSec server

[Giuseppe De Marco]

Hi and thank you Noel,
I meant to run ipsec and charon in the embedded openwrt router, I use dpd
as well

  # dead-peer detection to clear any "dangling" connections in case
the client unexpectedly disconnects  dpdaction=clear  # If the tunnel
has no traffic for this long (default 30 secs), Charon will send a
dead peer detection packet. The value 0 means to not send such
packets, relying on ordinary traffic, which will occur at least once
an hour, which is the default rekeying lifetime.  dpddelay=33s  #  DPD
Retries : 3  dpdtimeout=300s

Running strongswan in a 18-70$ openwrt router is very usefull in many way

Re: [strongSwan] OpenWRT. IPSec server

[Noel Kuntze]

Hi,

Only on the responder.
If you use dpd and enforce UDP encapsulation, you do not need to open any ports 
on the initiator side.
Refer to the UsableExamples wiki page[1] for example configurations that are 
usable in the real world.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

On 28.12.2017 08:51, Sujoy wrote:
> Hi All,
>
>
> We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be 
> running in CentOS and the OpenWRt router will connect to it using VPN. I have 
> configured the server part, struggling to configure the client part. Do we 
> need to open port 4500 for this first.
>
> Anyone can suggest any solution for this.



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] OpenWRT. IPSec server

[Giuseppe De Marco]

Hi,

Do you compile firmware by yourself or install packages in a stable release
using opkg command?
If you open the 4500 port means that you use ikev2/charon, isn't it?

I customize openwrt and lede firmwares for specific purposes, my packages
are here:
https://github.com/peppelinux/pplnx-LEDE-firmwares
https://github.com/peppelinux/openWRT_x86
https://github.com/peppelinux/openWRT_BB_builds

I always use ovpn for embedded purpose but if you have configured all the
dipendencies for a ipsec strongswan ikev2 with mschap in openwrt let me
know which packages you installed, I can do a customized firmware compiling
from scratch all the release (disk space usage will be more efficient)

Ports are 4500 udp and 500 udp

2017-12-28 8:51 GMT+01:00 Sujoy :

> Hi All,
>
>
> We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will
> be running in CentOS and the OpenWRt router will connect to it using VPN. I
> have configured the server part, struggling to configure the client part.
> Do we need to open port 4500 for this first.
>
> Anyone can suggest any solution for this.
> --
>
> Thanks & Reards
> Sujoy
>

[strongSwan] OpenWRT. IPSec server

[Sujoy]

Hi All,


We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will 
be running in CentOS and the OpenWRt router will connect to it using 
VPN. I have configured the server part, struggling to configure the 
client part. Do we need to open port 4500 for this first.


Anyone can suggest any solution for this.
--

Thanks & Reards
Sujoy